CVE-2024-58317

Summary

A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.

Affected Software

VendorProductVersion RangeStatus
KenticoXperience0 <= 13.0.164affected

Weaknesses

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References