Kentico Xperience Staging Service Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in Kentico Xperience CMS version 13.0.178 and prior. This issue arises in the Staging Sync Server component, where password handling for the 'None' authentication type is flawed. As a result, an attacker can bypass authentication and gain control over administrative objects via the Staging API.

Impact

Exploitation of this vulnerability allows for authentication bypass in the Staging Service API, granting full administrative access to the Kentico Xperience CMS. This access can be leveraged to execute synchronization functions and tasks, potentially leading to unauthorized changes or actions within the CMS.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the 'CMS.Synchronization.WSE3.SyncServer' endpoint without a password, while specifying a valid username. This can be done using a tool like curl or a Python script that interacts with the Kentico API. After bypassing authentication, the 'ProcessSynchronizationTaskData' method can be called with a crafted 'stagingTaskData' payload that exploits the authentication bypass.

Remediation

Users can upgrade to Kentico Xperience version 13.0.178 or later, where this vulnerability has been patched.