Security advisory 2024-11-14

Copy to clipboard

Self-cross-site scripting (XSS) attack via Rich text editor

CVSS: 4.8
Affected versions: 22.0.0 - 29.6.3
Category: XSS

Summary

The rich text editor in the administration was vulnerable to self-cross-site scripting attacks (XSS) due to improper input validation when switching between Text and Code View mode. To eliminate this vulnerability, additional sanitization was added to the switch of the view mode action.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.