- Description
- The Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
- Source
- disclosure@vulncheck.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- disclosure@vulncheck.com
- CWE-79
- Hype score
- Not currently trending
Un fallo crítico en Kentico Xperience CMS (CVE-2025-2748) permite a atacantes aprovechar handlers de archivos personalizados para escalar un XSS a ejecución remota de comandos (RCE), comprometiendo servidores web. ⚠️👇 𝗩𝗨𝗟𝗡𝗘𝗥𝗔𝗕𝗜𝗟𝗜𝗗𝗔𝗗 𝗞𝗘𝗡𝗧𝗜𝗖𝗢 https://t.co/5ZR
@C1B3R53CUR1TY
23 Apr 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New vuln in Kentico Xperience (CVE-2025-2748): XSS ➡️ RCE via SVG in ZIPs! “We could upload a ZIP… then execute arbitrary JavaScript… then chain to RCE.” Patch now: v13.0.178 🔧 #CyberSecurity #RCE #Kentico 👉 https://t.co/gjK3jEpFM2
@SandroBruscino
7 Apr 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#exploit 1. CVE-2025-2748: XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS https://t.co/bMnlsnb4Vd 2. CVE-2025-44228: AnyDesk RCE PoC https://t.co/vGlZNwGVFD 3. CVE-2025-30065: Apache Parquet RCE https://t.co/0uZP5a053F
@ksg93rd
6 Apr 2025
622 Impressions
2 Retweets
11 Likes
7 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-2748 - medium 🚨 Kentico Xperience CMS - Unauthenticated Stored XSS > The Kentico Xperience application does not fully validate or filter files uploaded vi... 👾 https://t.co/ZEgWCg55ZA @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
1 Apr 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes