Security advisory 2024-11-21

Copy to clipboard

Insecure direct object reference (IDOR) in Form Builder

CVSS: 5.3
Affected versions: 22.0.0 - 29.7.0
Category: IDOR

Summary

A vulnerability in the Form Builder’s authorization layer permitted the use of direct URLs created for another administration user’s Form Builder context, which could potentially enable unauthorized modification of forms. However, this misuse would require the attacker to obtain the URL from an authorized user by some means, as the URL is generated by the server.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.