QwikSec

Security Database

CVE

CWE

Training

CVE-2019-12102

Published: May 22, 2019

Modified: Nov 15, 2024

PUBLISHED

Description

Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it’s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://docs.kentico.com/k12/release-notes-kentico-12

x_refsource_MISC

https://devnet.kentico.com/download/hotfixes

x_refsource_MISC

https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20Unauthenticated%20File%20Upload%20and%20File%20Exposure

x_refsource_MISC

https://docs.kentico.com/k12/configuring-kentico/configuring-the-environment-for-content-editors/configuring-media-libraries/assigning-permissions-to-media-libraries

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.