Reflected Cross-Site Scripting Vulnerability in Kentico's Edit Device Layout

CVE-2018-7205 · LOW Severity

AV:N/AC:M/AU:S/C:N/I:P/A:N

Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout

Learn more about our User Device Pen Test.