Home

Description

A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state.

PUBLISHED Reserved 2025-12-17 | Published 2025-12-18 | Updated 2025-12-18 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Product status

Any version
affected

Credits

Crafted Media Ltd. finder

References

devnet.kentico.com/download/hotfixes (Kentico DevNet Hotfixes) vendor-advisory patch

www.vulncheck.com/...xperience-cookie-security-configuration (VulnCheck Advisory: Kentico Xperience <= 13.0.164 Cookie Security Configuration) third-party-advisory

cve.org (CVE-2024-58317)

nvd.nist.gov (CVE-2024-58317)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.