CVE-2019-10068
📊 9.8 CRITICAL⚡ 94.1%🎯 0 exploits🏛️ KEV Listed
📅 Published Mar 26, 2019
📋 Status: Modified
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
CVSS v3.1 • NVD
🎯 Affected Products & Systems
4 product configurations affected
Filter by type:
| Type | Vendor | Product | Version Range | Status | CPE String |
|---|---|---|---|---|---|
📱App | kentico | kentico | ≥ 9.0.0 ∧ ≤ 9.0.51 | Vulnerable | cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:* |
📱App | kentico | kentico | ≥ 10.0.0 ∧ < 10.0.52 | Vulnerable | cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:* |
📱App | kentico | kentico | ≥ 11.0.0 ∧ < 11.0.48 | Vulnerable | cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:* |
📱App | kentico | kentico | ≥ 12.0.0 ∧ < 12.0.15 | Vulnerable | cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:* |
Version: ≥ 9.0.0 ∧ ≤ 9.0.51
CPE:
cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:*
Version: ≥ 10.0.0 ∧ < 10.0.52
CPE:
cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:*
Version: ≥ 11.0.0 ∧ < 11.0.48
CPE:
cpe:2.3:a:kentico:kentico:*:*:*:*:*:*:*:*
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector:
NETWORK
Complexity:
LOW
Privileges:
NONE
User Interaction:
NONE
Confidentiality:
HIGH
Integrity:
HIGH
Availability:
HIGH
Scope:
UNCHANGED
🔍 Technical Details
Analysis Status
ModifiedCVSS Details
9.8 (CRITICAL)v3.1
Source: [email protected]
EPSS Details
94.1% (Critical)99.9th percentile
Last updated: Oct 31, 2025
Exploitation probability within 30 days
Published Date
Mar 26, 2019 (6 years ago)
Last Modified
Oct 22, 2025 (11 days ago)
Security Weaknesses2
CWE-502
References3
NVDadvisorygeneral