Primary

Context

Kentico Xperience Cookie Security Configuration Vulnerability Allowing SSL Bypass

Vulnerability

Patched

A vulnerability in Kentico Xperience in versions through 13.0.164 allows attackers to bypass SSL requirements for administration cookies, potentially compromising session security and authentication. This issue arises from incorrect handling of the 'requireSSL' attribute in .NET Framework projects, which can lead to sensitive cookies being transmitted without the 'Secure' attribute, leaving them vulnerable to interception.

Impact

Exploitation of this vulnerability could lead to sensitive cookies being transmitted over unencrypted channels, allowing for session hijacking and unauthorized access to administrative functions.

Remediation

Users can upgrade to Kentico Xperience version 13.0.165 or later, where this vulnerability has been addressed. Instructions for applying the hotfix are available on the Kentico Xperience Hotfixes page.

Added: Dec 18, 2025, 8:23 PM

Updated: Dec 18, 2025, 8:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.8

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.8

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kentico Xperience Cookie Security Configuration Vulnerability Allowing SSL Bypass

Vulnerability

Impact

Remediation

Affected Products

Kentico Xperience

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating