Kentico Xperience <= 13.0.160 Pages Dashboard Widget Reflected XSS

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.160
CVE: CVE-2024-58319
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Bank of Ayudhya
Description: A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers.