CVE-2024-58317
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kentico | Xperience | 0 <= 13.0.164 | affected |
Weaknesses
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://devnet.kentico.com/download/hotfixes
- https://www.vulncheck.com/advisories/kentico-xperience-cookie-security-configuration
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.