CVE-2025-2878 MEDIUM

CVE-2025-2878: Kentico CMS Additional Database Installation Wizard install.aspx cross site scripting

Vendor Kentico

Product CMS

Weakness CWE-79 · XSS

Published March 27, 2025

Last update March 28, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in Kentico CMS up to 13.0.178. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /CMSInstall/install.aspx of the component Additional Database Installation Wizard. The manipulation of the argument new database leads to cross site scripting. The attack can be launched remotely. Upgrading to version 13.0.179 is able to address this issue. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

March 27, 2025 CVE published

March 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2878 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-2878: Kentico CMS Additional Database Installation Wizard install.aspx cross site scripting

01Description

02Disclosure timeline

03References

04Related CVE