CVE-2025-32370
published 2025-04-06CVE-2025-32370: Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.35%
68.0th percentile
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | < 13.0.178 | 13.0.178 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to MultiFileUploader.ashx with query parameters Filename=*.zip and Complete=false, which is the upload vector for this CVE. ↗
- →Detect ZIP file uploads to the Kentico CMSModules upload endpoint with Content-Type: application/octet-stream from unauthenticated sessions; the ZIP is processed by TryZipProviderSafe to extract files with otherwise-disallowed extensions (e.g. .svg, .svc). ↗
- →Alert on files with non-standard or unexpected extensions (e.g. .svg, .svc) appearing in Kentico upload directories following a ZIP upload, as these bypass the ContentUploader allowlist. ↗
- →The embedded SVG payload contains an inline script tag with alert("XSS"); — hunt for SVG files containing <script> tags in Kentico upload directories as evidence of exploitation. ↗
- ·The exploit targets Kentico Xperience versions strictly before 13.0.178; version 13.0.178 and later are patched. Ensure the deployed version is confirmed before applying detection rules to avoid false positives on patched instances. ↗
- ·The NVD advisory notes this ZIP-based extension bypass is a separate issue not necessarily related to SVG or XSS — the upload primitive itself (arbitrary extension creation via TryZipProviderSafe) is the core vulnerability and may be used to drop other file types beyond SVG. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-04-06
Published