During a security assessment for one of our customers we identified a vulnerability with a CVSS of 4.9 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) in the deployed version (13.0.44) of the Kentico CMS. According to the published release notes this vulnerability seems to effect newer versions of the software as well. This vulnerability would allow an administrator to access sensitive data of higher privileged users like a global administrator.

A user with the role administrator is allowed to export another user’s settings if its privileges are lower than the currently logged in user. This basically means that a global administrator could export the settings of any other user and an administrator could export the settings of its own account and that of any user which has the role editor or none. Editors are not allowed to export or view other users unless explicitly enabled.

The export functionality is divided into two different steps. First the system verifies that the user has the necessary rights to export the target user’s settings - the target user is defined by the URL parameter objectId. If the current user is authorized to export the account of the target user, the currently logged in user is asked to provide the name of the file which will contain the exported settings. The parameters of the second step are sent to the server via a POST request. The ID of the target user is still sent via the previously mentioned URL parameter and the name of the file is sent via the POST body as the parameter m$c$txtFileName (URL-Encoded).

The following screenshot shows, that if an unauthorized user (e.g. an administrator) tries to start the export process by providing the ID of a global administrator the server rejects this request. In this case the objectId 78 belongs to a global administrator.

An Administrator tries to export a user with global administrator rights

However, the first step is completely irrelevant if it is known how the second request looks like. As the following screenshot demonstrates it was possible to export the global administrator’s settings with a lower privileged user even though the server states that the current user is not authorized to do so.

Ignoring the first step of the export process allows the any user with user management rights to export any other user

By knowing the name of the file – as it was provided by the user itself – it is possible to download this file – a ZIP containing several export related data - as it can be seen on the following screenshot.

Knowing the name of the file allows the user to download the exported files

After downloading ZIP and extracting the data in it, it was possible to gain access to highly sensitive data like the hashed password of the user.

The exported user object as XML

The issue was disclosed privately to the vendor (Kentico) in the form of a responsible disclosure. After some internal analysis they confirmed the existence of the vulnerability and released a hotfix (13.0.66) on 11.04.2022 which resolves this issue. Although an attacker has to have access to the software to exploit this vulnerability we would recommend to update to the newest version nevertheless.

A CVE number has been requests. As soon as it is assigned this article will be updated.

Update 19.04.2022: The CVE number CVE-2022-29287 has been assigned to this issue