Security readout for executives and security teams
Plain-English summary
Kentico Xperience sites at or below 12.0.102 may have a weakness in how URL hashes are protected. An unauthenticated network attacker could potentially reuse or manipulate hash values, creating confidentiality risk. The source bundle identifies a Kentico hotfix as the remediation path. No active exploitation is cited.
Executive priority
Treat as a high-priority patching issue for public Kentico Xperience sites. The main business concern is unauthorized access to protected information through weak URL hash protections. There is no cited evidence of active exploitation, but the vulnerability is remotely reachable and unauthenticated.
Technical view
CVE-2021-47712 is a cryptography vulnerability in Kentico Xperience URL hashing, mapped to CWE-327. CVSS 3.1 is 7.5: network-accessible, low complexity, no privileges, no user interaction, with high confidentiality impact. Vendor hotfixes reportedly add a security layer to prevent hash reuse and potential exploitation.
Likely exposure
Exposure is most likely for internet-facing Kentico Xperience deployments running version 12.0.102 or earlier. The provided affected-version metadata is incomplete, so teams should confirm exact product and hotfix levels against Kentico guidance.
Exploitation context
The sources describe potential manipulation or reuse of URL hash values through existing hashing mechanisms. The CVE is not listed as KEV in the provided bundle, and no cited source states active exploitation.
Researcher notes
Public detail is limited. Avoid assuming exploitability beyond the described URL hash manipulation and reuse risk. The affected-version field in the bundle is not useful, while the title identifies <=12.0.102. Use Kentico hotfix records as the authoritative remediation reference.
Mitigation direction
- Identify Kentico Xperience deployments and their exact hotfix levels.
- Apply the relevant Kentico hotfix from the vendor hotfix page.
- Prioritize internet-facing Kentico instances before internal-only systems.
- Review Kentico vendor guidance for any additional configuration requirements.
Validation and detection
- Confirm deployed Kentico Xperience version and hotfix level.
- Verify the environment is above 12.0.102 or otherwise vendor-remediated.
- Check asset inventory for public Kentico Xperience exposure.
- Document remediation status for each affected application.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-327: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2021-47712 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N3.93.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
7.5HighVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- Kentico DevNet HotfixesCVE reference · vendor-advisory, patch
- VulnCheck Advisory: Kentico Xperience <= 12.0.102 URL Hashing Cryptography VulnerabilityCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Use of a Broken or Risky Cryptographic Algorithm
Use of a Broken or Risky Cryptographic Algorithm represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
