CVE-2019-25230

Summary: CVE-2019-25230 affects Kentico Xperience with an information disclosure in the Live Site Widget Properties dialog. The vulnerability allows authenticated users to view sensitive system objects, exposing information beyond their access level. According to the connected records, the issue ...

Two Stored XSS in Instructions and User Widget

Stored XSS 1 Description 1 The santinizer founction noxsshtml$html can be bypassed since it missed to ban the tag of in $bannedelements = 'script', 'iframe', 'embed';. By this missing, the logged admin can maliciously inject xss payloads like in the backend database using the point POST...