CVE-2021-46163: 
Kentico Xperience vulnerability analysis and mitigation

Kentico Xperience 13.0.44 contains a Cross-Site Scripting (XSS) vulnerability in its Media Libraries subsystem. The vulnerability was discovered and disclosed on January 8, 2022, and allows attackers to execute malicious scripts via specially crafted XML documents uploaded to the Media Libraries component (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The attack requires user interaction and can be initiated remotely (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts in the context of the affected application. This can lead to theft of sensitive data, session hijacking, or other malicious actions performed in the context of the affected user's session (GitHub POC).

The vulnerability was identified in version 13.0.44 of Kentico Xperience. Users should upgrade to a patched version of the software. No specific workarounds have been publicly documented (NVD).