Kentico Xperience <= 13.0.164 Cookie Security Configuration

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.164
CVE: CVE-2024-58317
CWE: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: Kentico DevNet Hotfixes
Credit: Crafted Media Ltd.
Description: A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.