Arbitrary Code Execution Vulnerability in Kentico 9-11 via Dynamic .NET Code Evaluation

Arbitrary Code Execution Vulnerability in Kentico 9-11 via Dynamic .NET Code Evaluation

CVE-2018-7046 · HIGH Severity

AV:N/AC:L/AU:S/C:C/I:C/A:C

Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout

Learn more about our User Device Pen Test.