CVE-2019-10068 is a .NET object deserialization vulnerability in the Kentico CMS framework that enables attackers to perform remote code execution and gain unauthorized remote access. A SOAP Action within the staging web service deserialized an XML encoded SOAP message within an element of the actual SOAP body. The program uses the staging service to synchronize changes between servers.A malicious request to the staging service could bypass initial authentication and proceed to deserialize user-controlled.NET object input due to a failure to validate security headers. This deserialization then resulted in unauthenticated remote code execution on the Kentico instance’s server.
Mitigation / Precaution
We suggest you update to Kentico CMS version greater than 12.0.15 to fix this vulnerability.
