CVE-2025-32370 HIGH

CVE-2025-32370

Vendor Kentico
Product Xperience
Weakness CWE-912
Published April 6, 2025
Last update April 7, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.

Key dates

02Disclosure timeline

April 6, 2025 CVE published
April 7, 2025 Record updated