vulnerability

Kentico Xperience: CVE-2019-10068: Deserialization of Untrusted Data

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Mar 26, 2019	May 12, 2025	May 13, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Mar 26, 2019

Added

May 12, 2025

Modified

May 13, 2025

Description

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Solution

kentico-xperience-upgrade-latest

References

CVE-2019-10068
https://attackerkb.com/topics/CVE-2019-10068
URL-http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
URL-https://devnet.kentico.com/download/hotfixes#securityBugs-v12

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today