A couple of vulnerabilities have been made public for Kentico recently. Their source states they've reached out to the vendor (Kentico), the researcher states: "I've contacted the vendor and he fixed the vulnerability in the next major version". The vulnerabilities include a cross site scripting (XSS) vuln and a Open Redirect vuln.
Unfortunately the next major version is not out, I would like to know when this fix is available in the form of a hotfix for Kentico 8.2 instead of a new major version. The researcher states this works on versions 8.2.0 - 8.2.41, though hotfixes .42 and .43 have no mention of a fix for this issue.
I tried out a couple of these locally on 8.2.25 and was unable to get them to perform as described so they might only be exploited in combination with default IIS configurations. Though, my local version is heavily modified to adhere to STIG guidelines.
I simply want to know if we can expect a hotfix for these vulns or if we have to wait until version 9 (or 8.3, I haven't looked at the roadmap recently)?
I believe these were fixed in 8.2.42 hotfix - according to the security newsletter.
I'd contact Kentico Support directly with this question. I happen to remember seeing a post/tweet stating this was already resolved in v7.
Please, sign in to be able to submit a new answer.