CVE-2025-2748 is a stored Cross-site Scripting (XSS) vulnerability identified in Kentico Xperience, a popular web content management system. The flaw exists in the multiple-file upload functionality, where the application fails to adequately validate or sanitize uploaded files. This improper neutralization of input (CWE-79) allows attackers to embed malicious scripts within uploaded files that are later rendered in the context of the web application. When a victim user accesses the affected page, the malicious script executes in their browser, potentially stealing session tokens, performing actions on behalf of the user, or defacing the website. The vulnerability also relates to CWE-434, indicating improper handling of file uploads, which can contribute to the injection of executable content. The CVSS 3.1 base score of 6.1 reflects a medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction necessary to trigger the exploit. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed as of March 24, 2025. Organizations using Kentico Xperience versions up to 13.0.178 should consider this a significant risk, especially for public-facing websites where user-uploaded content is enabled.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of web applications using Kentico Xperience. Attackers exploiting this flaw can execute arbitrary JavaScript in the context of users' browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement of web content. This can damage organizational reputation, lead to data breaches involving personal or sensitive information, and violate GDPR requirements on data protection and user privacy. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users to vulnerable pages. The impact is heightened for organizations with high web traffic, customer portals, or those handling sensitive user data. Although availability is not directly affected, the indirect consequences of exploitation could disrupt business operations and trust. The lack of known exploits currently provides a window for proactive mitigation, but the public disclosure increases the risk of future attacks.

European organizations should implement the following specific mitigations: 1) Immediately review and restrict the multiple-file upload functionality in Kentico Xperience, disabling it if not essential. 2) Apply strict server-side validation and sanitization of all uploaded files, ensuring that executable scripts or HTML content cannot be uploaded or rendered. 3) Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and untrusted sources, mitigating the impact of XSS payloads. 4) Monitor web application logs for unusual file upload patterns or suspicious user activity. 5) Educate users and administrators about the risks of interacting with untrusted content and phishing attempts. 6) Stay updated with Kentico security advisories and apply patches promptly once available. 7) Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS attempts targeting Kentico Xperience. 8) Conduct regular security assessments and penetration testing focusing on file upload and input validation controls.