There were several occurrences of a cross-site scripting vulnerability when the system resolved URLs whose relative part contained a special sequence of characters. The vulnerability occurred in the administration interface, as well as controls that could be used on the live site. The issue was fixed by filtering out these characters.
Workaround for all Kentico versions
A manual workaround for this issue is to add URL sequences from "/(A(" to "/(Z(" to the <denyUrlSequence> web.config element. The web.config should contain the following:
<add sequence="/(A(" />
<add sequence="/(B(" />
<add sequence="/(Z(" />
Found in version:
12.0.74 and below
Fixed in version:
Kentico Security Team
Install the latest hotfix. You can download the latest hotfix from Download section on the DevNet portal. If you use an older version of Kentico Xperience, it is highly recommended to upgrade to the latest version.