Vulnerability Change Records for CVE-2019-12102

Change History

CVE Modified by MITRE 7/17/2019 4:15:11 PM

Action Type Old Value New Value
Changed Description
** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it?s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information.
** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore files without authentication via the cmsmodules/medialibrary/formcontrols/liveselectors/insertimageormedia/tabs_media.aspx URI. NOTE: The vendor disputes the report because the researcher did not configure the media library permissions correctly. The vendor states that by default all users can read/modify/upload files, and it?s up to the administrator to decide who should have access to the media library and set the permissions accordingly. See the vendor documentation in the references for more information.
Added Reference

								
							
							
						
https://docs.kentico.com/k12/configuring-kentico/configuring-the-environment-for-content-editors/configuring-media-libraries/assigning-permissions-to-media-libraries [No Types Assigned]

Initial Analysis 5/23/2019 10:56:33 AM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:* versions from (including) 11.0.0 up to (including) 12.0
Added CVSS V2

								
							
							
						
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Added CVSS V3

								
							
							
						
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Added CWE

								
							
							
						
CWE-20
Changed Reference Type
https://devnet.kentico.com/download/hotfixes No Types Assigned
https://devnet.kentico.com/download/hotfixes Vendor Advisory
Changed Reference Type
https://docs.kentico.com/k12/release-notes-kentico-12 No Types Assigned
https://docs.kentico.com/k12/release-notes-kentico-12 Release Notes, Vendor Advisory
Changed Reference Type
https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20Unauthenticated%20File%20Upload%20and%20File%20Exposure No Types Assigned
https://github.com/Gr4y21/My-CVE-IDs/blob/master/Kentico%20CMS%20Unauthenticated%20File%20Upload%20and%20File%20Exposure Broken Link

CWE Remap 8/24/2020 1:37:01 PM

Action Type Old Value New Value
Changed CWE
CWE-20
CWE-732