CVE-2018-7205
📊 4.8 MEDIUM⚡ 0.2%🎯 0 exploits
📅 Published Feb 20, 2018
📋 Status: Modified
Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout
CVSS v3.0 • NVD
🎯 Affected Products & Systems
1 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | kentico | kentico cms | ≥ 9.0 ∧ ≤ 11.0 | Vulnerable | cpe:2.3:a:kentico:kentico_cms:*:*:*:*:*:*:*:* |
📱
VulnerableApplication
Version: ≥ 9.0 ∧ ≤ 11.0
CPE:
cpe:2.3:a:kentico:kentico_cms:*:*:*:*:*:*:*:*
Metrics
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector:
NETWORK
Complexity:
LOW
Privileges:
HIGH
User Interaction:
REQUIRED
Confidentiality:
LOW
Integrity:
LOW
Availability:
NONE
Scope:
CHANGED
🔍 Technical Details
Analysis Status
ModifiedCVSS Details
4.8 (MEDIUM)v3.0
Source: [email protected]
EPSS Details
0.2% (Minimal)37.2th percentile
Last updated: Oct 30, 2025
Exploitation probability within 30 days
Published Date
Feb 20, 2018 (7 years ago)
Last Modified
Nov 21, 2024 (11 months ago)
Security Weaknesses1
CWE-79
References1
NVD