CVE-2025-32370
06.04.2025, 07:15
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.Enginsight
| Vendor | Product | Version |
|---|---|---|
| kentico | xperience | 𝑥 < 13.0.178 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-912 - Hidden FunctionalityThe software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.