Kentico Xperience <= 13.0.158 Shipping Options Stored XSS

Advisories

severity: medium
date: December 18, 2025
Affecting: Xperience <= 13.0.158
CVE: CVE-2024-58322
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: Kentico DevNet Hotfixes
Credit: Bluesoft
Description: A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers.