Kentico Xperience <= 13.0.74 Form Configuration Stored XSS

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.74
CVE: CVE-2022-50683
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Kentico Security Team
Description: A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings.