CVE-2018-7205 Information

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks Reflected Cross-Site Scripting vulnerability in \Design\ on \Edit device layout\ in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the \Pages - Edit template properties - Device Layouts - Create device layout (and edit created device layout) - Design\ screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/archive/1/541792/100/0/threaded

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.8