Security advisory 2025-01-09

Copy to clipboard

Broken access control between contact groups and recipient lists

CVSS: 5.3
Affected versions: 24.0.0 - 30.0.1
Category: IDOR

Summary

An authorization issue allowed the modification of contact group objects from the Recipient lists application and recipient list objects from the Contact groups application, even if the user didn’t have permissions for the related application. After applying the fix, permissions are validated correctly, and only objects belonging to the given application can be modified.

How to fix

Update to the latest version. See Update Xperience by Kentico projects for detailed instructions.