Long-since fixed SQL injection bug could allow an unauthenticated attacker to tamper with databases

UPDATED Users of older Kentico CMS builds have been urged to migrate to the most recent supported version of the software following the discovery of a vulnerability that could be exploited to compromise backend databases.

Kentico CMS is an ASP.NET content management system (CMS) for enterprise websites, e-commerce, and both intranet and extranet domains.

The CMS comes with features (PDF) including built-in modules, text editing, blogs, and polls, and is used on over 4,000 websites in 83 countries.

SQL injection flaw

A security vulnerability in the 5.5 R2 5.5.3996 version of Kentico CMS was disclosed by Obrela Labs penetration tester Anastasios Stasinopoulos on March 8.

The flaw, tracked as CVE-2021-27581, resides in the blog functionality module of Kentico CMS, which permits SQL injection attacks to occur via the tagname parameter, such as -- http://target.com/blog?tagname=injectable.

According to Obrela Labs, the CMS security flaw “allowed a potential attacker – without requiring authentication – to interact with the backend Microsoft SQL server database”.


Read more of the latest SQL injection news


Speaking to the The Daily Swig, Stasinopoulos said that “it seems that the root cause is improper sanitization within portal engine components, which is typical for this type of security flaw”.

The researcher said that if successfully exploited, attackers could not only access data stored in a backend database, but could also tamper with or delete information outright.

In addition, as long as “specific parameters” are met, the vulnerability could lead to the “complete compromise of the underlying operating system that hosts Kentico”.

Stasinopoulos said that these conditions could include elevated privileges of a functional account used by Kentico to connect to the backend database, stacked queries being permissible on the vulnerable parameter, or the xp_cmdshell stored procedure being enabled, either by default or by an attacker.

Old news

Following the publication of this article, a Kentico spokesperson told The Daily Swig that this issue had been discovered internally and patched more than 10 years ago, in version 5.5.R2.13 of the software.

“We really appreciate any report from independent security researchers who help us to keep our product more secure,” said Kentico CISO Juraj Komlosi.

“However… this issue was fixed in Kentico CMS version 5.5.R2.13. The date of the fix: 11th of March 2011.

“In 2011 it was reported by a Kentico developer and properly fixed in the hotfix. That’s the reason why we thank to Anastasios, but he was not the first who found this issue and he reported us a 10-year-old fixed issue.”

With the impact of this bug limited only to those running outdated Kentico versions, Komlosi said the time was now for any remaining stragglers to update.

“It’s the same as someone was still using Windows XP,” he said. “If the version you use is not supported anymore and you want to make sure there are no major functional or security bugs you have to upgrade to the latest supported version. The same works for Kentico.”


This article has been updated with clarification from Kentico on the vulnerable software version.


YOU MIGHT ALSO LIKE Researchers uncover hidden flaws in Apple’s offline ‘find my device’ feature