Hidden Functionality
CVE-2025-32370
Summary
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
- LOW
- NETWORK
- LOW
- CHANGED
- NONE
- NONE
- NONE
- LOW
CWE-912 - Hidden Functionality
The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators.
References
Advisory Timeline
- Published
