Hotfix for Kentico XSS/Open Redirect vulnerabilities CVE-2015-7823 and CVE-2015-7822?

Christian Nickel asked on October 23, 2015 17:14

A couple of vulnerabilities have been made public for Kentico recently. Their source states they've reached out to the vendor (Kentico), the researcher states: "I've contacted the vendor and he fixed the vulnerability in the next major version". The vulnerabilities include a cross site scripting (XSS) vuln and a Open Redirect vuln.

Unfortunately the next major version is not out, I would like to know when this fix is available in the form of a hotfix for Kentico 8.2 instead of a new major version. The researcher states this works on versions 8.2.0 - 8.2.41, though hotfixes .42 and .43 have no mention of a fix for this issue.

I tried out a couple of these locally on 8.2.25 and was unable to get them to perform as described so they might only be exploited in combination with default IIS configurations. Though, my local version is heavily modified to adhere to STIG guidelines.

I simply want to know if we can expect a hotfix for these vulns or if we have to wait until version 9 (or 8.3, I haven't looked at the roadmap recently)?

Correct Answer

Zach Perry answered on October 23, 2015 22:22

I believe these were fixed in 8.2.42 hotfix - according to the security newsletter.

2 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on October 23, 2015 17:31

I'd contact Kentico Support directly with this question. I happen to remember seeing a post/tweet stating this was already resolved in v7.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.