Vulnerabilites related to progress - sitefinity
cve-2024-1636
Vulnerability from cvelistv5
Published
2024-02-28 12:05
Modified
2024-08-01 19:14
Severity ?
EPSS score ?
Summary
Potential Cross-Site Scripting (XSS) in the page editing area.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Version: 13.3.7600 ≤ Version: 14.4.8100 ≤ Version: 15.0.8200 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T18:48:21.622Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "product", "x_transferred", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:progress:sitefinity:13.3.7600:*:*:*:*:*:*:*", "cpe:2.3:a:progress:sitefinity:14.4.8100:*:*:*:*:*:*:*", "cpe:2.3:a:progress:sitefinity:15.0.8200:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "sitefinity", vendor: "progress", versions: [ { lessThan: "13.3.7649", status: "affected", version: "13.3.7600", versionType: "semver", }, { lessThan: "14.4.8135", status: "affected", version: "14.4.8100", versionType: "semver", }, { lessThan: "15.0.8227", status: "affected", version: "15.0.8200", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-1636", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-01T19:09:13.452869Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-01T19:14:11.892Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Sitefinity", vendor: "Progress Software Corporation", versions: [ { lessThan: "13.3.7649", status: "affected", version: "13.3.7600", versionType: "semver", }, { lessThan: "14.4.8135", status: "affected", version: "14.4.8100", versionType: "semver", }, { lessThan: "15.0.8227", status: "affected", version: "15.0.8200", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Potential Cross-Site Scripting (XSS) in the page editing area.", }, ], value: "Potential Cross-Site Scripting (XSS) in the page editing area.", }, ], impacts: [ { capecId: "CAPEC-63", descriptions: [ { lang: "en", value: "CAPEC-63 Cross-Site Scripting (XSS)", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-28T12:05:23.082Z", orgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", shortName: "ProgressSoftware", }, references: [ { tags: [ "product", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, ], source: { discovery: "UNKNOWN", }, title: "Potential Cross-Site Scripting (XSS) in the page editing area", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", assignerShortName: "ProgressSoftware", cveId: "CVE-2024-1636", datePublished: "2024-02-28T12:05:23.082Z", dateReserved: "2024-02-19T18:09:55.024Z", dateUpdated: "2024-08-01T19:14:11.892Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18179
Vulnerability from cvelistv5
Published
2018-02-12 14:00
Modified
2024-09-16 22:55
Severity ?
EPSS score ?
Summary
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:13:49.036Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-12T14:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-18179", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", refsource: "MISC", url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { name: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", refsource: "MISC", url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18179", datePublished: "2018-02-12T14:00:00Z", dateReserved: "2018-02-12T00:00:00Z", dateUpdated: "2024-09-16T22:55:34.950Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-27636
Vulnerability from cvelistv5
Published
2024-06-16 00:00
Modified
2024-08-02 12:16
Severity ?
EPSS score ?
Summary
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
References
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "sitefinity", vendor: "progress", versions: [ { lessThan: "15.0.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2023-27636", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-31T20:39:26.114304Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-31T20:40:47.500Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T12:16:36.883Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html", }, { tags: [ "x_transferred", ], url: "https://www.exploit-db.com/exploits/52035", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-28T15:05:01.541087", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html", }, { url: "https://www.exploit-db.com/exploits/52035", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-27636", datePublished: "2024-06-16T00:00:00", dateReserved: "2023-03-05T00:00:00", dateUpdated: "2024-08-02T12:16:36.883Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18178
Vulnerability from cvelistv5
Published
2018-02-12 14:00
Modified
2024-09-16 18:29
Severity ?
EPSS score ?
Summary
Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:13:49.118Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-12T14:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-18178", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", refsource: "MISC", url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { name: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", refsource: "MISC", url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18178", datePublished: "2018-02-12T14:00:00Z", dateReserved: "2018-02-12T00:00:00Z", dateUpdated: "2024-09-16T18:29:33.596Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29376
Vulnerability from cvelistv5
Published
2023-04-10 00:00
Modified
2025-02-11 15:21
Severity ?
EPSS score ?
Summary
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:07:45.786Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "x_transferred", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29376", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T15:19:39.697934Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-11T15:21:02.349Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-10T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://www.progress.com/sitefinity-cms", }, { url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-29376", datePublished: "2023-04-10T00:00:00.000Z", dateReserved: "2023-04-05T00:00:00.000Z", dateUpdated: "2025-02-11T15:21:02.349Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-15883
Vulnerability from cvelistv5
Published
2018-01-08 19:00
Modified
2024-08-05 20:04
Severity ?
EPSS score ?
Summary
Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:04:50.427Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-13T00:00:00", descriptions: [ { lang: "en", value: "Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-08T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-15883", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", refsource: "MISC", url: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", }, { name: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", refsource: "CONFIRM", url: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-15883", datePublished: "2018-01-08T19:00:00", dateReserved: "2017-10-25T00:00:00", dateUpdated: "2024-08-05T20:04:50.427Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-11627
Vulnerability from cvelistv5
Published
2025-01-07 07:49
Modified
2025-01-07 15:36
Severity ?
EPSS score ?
Summary
: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | Sitefinity |
Version: 4.0 < Version: 15.0.8200 < Version: 15.1.8300 < Version: 15.2.8400 < |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-11627", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-07T15:35:46.305648Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-07T15:36:18.738Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Sitefinity", vendor: "Progress", versions: [ { lessThanOrEqual: "14.4.8142", status: "affected", version: "4.0", versionType: "custom", }, { lessThanOrEqual: "15.0.8229", status: "affected", version: "15.0.8200", versionType: "custom", }, { lessThanOrEqual: "15.1.8327", status: "affected", version: "15.1.8300", versionType: "custom", }, { lessThanOrEqual: "15.2.8421", status: "affected", version: "15.2.8400", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: ": Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.<p>This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, <span style=\"background-color: rgb(255, 255, 255);\">from 15.2.8400 through 15.2.8421.</span></p>", }, ], value: ": Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.", }, ], impacts: [ { capecId: "CAPEC-596", descriptions: [ { lang: "en", value: "CAPEC-596: Session Fixation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-613", description: "CWE-613: Insufficient Session Expiration", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-07T08:41:10.536Z", orgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", shortName: "ProgressSoftware", }, references: [ { tags: [ "product", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025", }, ], source: { discovery: "UNKNOWN", }, x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", assignerShortName: "ProgressSoftware", cveId: "CVE-2024-11627", datePublished: "2025-01-07T07:49:29.209Z", dateReserved: "2024-11-22T16:46:14.841Z", dateUpdated: "2025-01-07T15:36:18.738Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-9248
Vulnerability from cvelistv5
Published
2017-07-03 19:00
Modified
2025-02-07 14:17
Severity ?
EPSS score ?
Summary
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/43873/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/99965 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:02:43.945Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", }, { name: "43873", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/43873/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", }, { name: "99965", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99965", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2017-9248", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T14:09:07.956325Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2021-11-03", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2017-9248", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-522", description: "CWE-522 Insufficiently Protected Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T14:17:38.621Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-07-03T00:00:00.000Z", descriptions: [ { lang: "en", value: "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-27T10:57:01.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", }, { name: "43873", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/43873/", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", }, { name: "99965", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99965", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-9248", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", refsource: "CONFIRM", url: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", }, { name: "43873", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/43873/", }, { name: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", refsource: "CONFIRM", url: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", }, { name: "99965", refsource: "BID", url: "http://www.securityfocus.com/bid/99965", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-9248", datePublished: "2017-07-03T19:00:00.000Z", dateReserved: "2017-05-28T00:00:00.000Z", dateUpdated: "2025-02-07T14:17:38.621Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18177
Vulnerability from cvelistv5
Published
2018-02-12 14:00
Modified
2024-09-16 18:39
Severity ?
EPSS score ?
Summary
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:13:49.074Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-12T14:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-18177", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", refsource: "MISC", url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { name: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", refsource: "MISC", url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18177", datePublished: "2018-02-12T14:00:00Z", dateReserved: "2018-02-12T00:00:00Z", dateUpdated: "2024-09-16T18:39:37.546Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29375
Vulnerability from cvelistv5
Published
2023-04-10 00:00
Modified
2025-02-12 14:22
Severity ?
EPSS score ?
Summary
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T14:07:45.785Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "x_transferred", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29375", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T15:22:02.089578Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-12T14:22:50.283Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-10T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://www.progress.com/sitefinity-cms", }, { url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-29375", datePublished: "2023-04-10T00:00:00.000Z", dateReserved: "2023-04-05T00:00:00.000Z", dateUpdated: "2025-02-12T14:22:50.283Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-7215
Vulnerability from cvelistv5
Published
2019-06-06 16:04
Modified
2024-08-04 20:46
Severity ?
EPSS score ?
Summary
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T20:46:44.695Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-06-06T16:04:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-7215", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://knowledgebase.progress.com/#sort=relevancy&f:@objecttypelabel=[Product%20Alert]", refsource: "MISC", url: "https://knowledgebase.progress.com/#sort=relevancy&f:@objecttypelabel=[Product%20Alert]", }, { name: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", refsource: "CONFIRM", url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-7215", datePublished: "2019-06-06T16:04:00", dateReserved: "2019-01-29T00:00:00", dateUpdated: "2024-08-04T20:46:44.695Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18176
Vulnerability from cvelistv5
Published
2018-02-12 14:00
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:13:49.108Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-12T14:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-18176", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", refsource: "MISC", url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { name: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", refsource: "MISC", url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18176", datePublished: "2018-02-12T14:00:00Z", dateReserved: "2018-02-12T00:00:00Z", dateUpdated: "2024-09-16T22:25:19.398Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-17392
Vulnerability from cvelistv5
Published
2019-11-26 17:30
Modified
2024-08-05 01:40
Severity ?
EPSS score ?
Summary
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T01:40:15.558Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-11-26T17:30:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-17392", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", refsource: "MISC", url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-17392", datePublished: "2019-11-26T17:30:00", dateReserved: "2019-10-09T00:00:00", dateUpdated: "2024-08-05T01:40:15.558Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18175
Vulnerability from cvelistv5
Published
2018-02-12 14:00
Modified
2024-09-16 18:38
Severity ?
EPSS score ?
Summary
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:13:48.752Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-12T14:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { tags: [ "x_refsource_MISC", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-18175", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", refsource: "MISC", url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { name: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", refsource: "MISC", url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18175", datePublished: "2018-02-12T14:00:00Z", dateReserved: "2018-02-12T00:00:00Z", dateUpdated: "2024-09-16T18:38:47.409Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-17055
Vulnerability from cvelistv5
Published
2018-09-28 00:00
Modified
2024-08-05 10:39
Severity ?
EPSS score ?
Summary
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T10:39:59.563Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-09-25T00:00:00", descriptions: [ { lang: "en", value: "An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-15T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-17055", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", refsource: "MISC", url: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", }, { name: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", refsource: "CONFIRM", url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-17055", datePublished: "2018-09-28T00:00:00", dateReserved: "2018-09-14T00:00:00", dateUpdated: "2024-08-05T10:39:59.563Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-6784
Vulnerability from cvelistv5
Published
2023-12-20 14:00
Modified
2024-11-27 20:02
Severity ?
EPSS score ?
Summary
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Version: 15.0 ≤ Version: 14.4 ≤ Version: 14.3 ≤ Version: 14.2 ≤ Version: 14.1 ≤ Version: 13.3 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:42:07.414Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "product", "x_transferred", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-6784", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-27T20:02:16.353969Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-27T20:02:36.832Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Sitefinity", vendor: "Progress Software Corporation", versions: [ { lessThan: "15.0.8223", status: "affected", version: "15.0", versionType: "semver", }, { lessThan: "14.4.8133", status: "affected", version: "14.4", versionType: "semver", }, { lessThan: "14.3.8029", status: "affected", version: "14.3", versionType: "semver", }, { lessThan: "14.2.7932", status: "affected", version: "14.2", versionType: "semver", }, { lessThan: "14.1.7828", status: "affected", version: "14.1", versionType: "semver", }, { lessThan: "13.3.7648", status: "affected", version: "13.3", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n", }, ], value: "\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n", }, ], impacts: [ { capecId: "CAPEC-98", descriptions: [ { lang: "en", value: "CAPEC-98 Phishing", }, ], }, { capecId: "CAPEC-163", descriptions: [ { lang: "en", value: "CAPEC-163 Spear Phishing", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-20T14:00:55.962Z", orgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", shortName: "ProgressSoftware", }, references: [ { tags: [ "product", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023", }, ], source: { discovery: "UNKNOWN", }, title: "Potential Use of the Sitefinity System for Distribution of Phishing Emails", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", assignerShortName: "ProgressSoftware", cveId: "CVE-2023-6784", datePublished: "2023-12-20T14:00:55.962Z", dateReserved: "2023-12-13T15:43:43.447Z", dateUpdated: "2024-11-27T20:02:36.832Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-1632
Vulnerability from cvelistv5
Published
2024-02-28 12:04
Modified
2024-08-02 19:28
Severity ?
EPSS score ?
Summary
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Version: 13.3.7600 ≤ Version: 14.4.8100 ≤ Version: 15.0.8200 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T18:48:21.676Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "product", "x_transferred", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", "x_transferred", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-1632", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-02T19:28:41.072718Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-02T19:28:52.380Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Sitefinity", vendor: "Progress Software Corporation", versions: [ { lessThan: "13.3.7649", status: "affected", version: "13.3.7600", versionType: "semver", }, { lessThan: "14.4.8135", status: "affected", version: "14.4.8100", versionType: "semver", }, { lessThan: "15.0.8227", status: "affected", version: "15.0.8200", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.", }, ], value: "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.", }, ], impacts: [ { capecId: "CAPEC-58", descriptions: [ { lang: "en", value: "CAPEC-58: Restful Privilege Elevation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284: Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-28T12:04:45.869Z", orgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", shortName: "ProgressSoftware", }, references: [ { tags: [ "product", ], url: "https://www.progress.com/sitefinity-cms", }, { tags: [ "vendor-advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, ], source: { discovery: "UNKNOWN", }, title: "Incorrect access control in the Sitefinity backend", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f9fea0b6-671e-4eea-8fde-31911902ae05", assignerShortName: "ProgressSoftware", cveId: "CVE-2024-1632", datePublished: "2024-02-28T12:04:45.869Z", dateReserved: "2024-02-19T16:26:35.455Z", dateUpdated: "2024-08-02T19:28:52.380Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2017-07-03 19:29
Modified
2025-03-14 20:05
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99965 | Broken Link, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity | Vendor Advisory | |
| cve@mitre.org | http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness | Mitigation, Vendor Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/43873/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99965 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/43873/ | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| telerik | ui_for_asp.net_ajax | * |
{ cisaActionDue: "2022-05-03", cisaExploitAdd: "2021-11-03", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "4BDED80D-FD15-42C1-8A1A-9D144803AFA5", versionEndExcluding: "10.0.6412.0", vulnerable: true, }, { criteria: "cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*", matchCriteriaId: "ED369CB9-0CF4-4B8F-8075-E2CA3AE6D278", versionEndIncluding: "2017.2.503", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.", }, { lang: "es", value: "La biblioteca Telerik.Web.UI.dll en la Interfaz de Usuario de Progress Telerik para ASP.NET AJAX anterior a la versión R2 2017 SP1 y Sitefinity anterior a la versión 10.0.6412.0, no protege apropiadamente a Telerik.Web.UI.DialogParametersEncryptionKey o MachineKey, lo que facilita para los atacantes remotos superar los mecanismos de protección criptográfica, conllevando a un perdida de MachineKey, cargas o descargas arbitrarias de archivos, XSS o un compromiso de ViewState de ASP.NET.", }, ], id: "CVE-2017-9248", lastModified: "2025-03-14T20:05:03.453", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2017-07-03T19:29:00.270", references: [ { source: "cve@mitre.org", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/99965", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", }, { source: "cve@mitre.org", tags: [ "Mitigation", "Vendor Advisory", ], url: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/43873/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/99965", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/43873/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-522", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-09-28 00:29
Modified
2024-11-21 03:53
Severity ?
Summary
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/ | Exploit, Technical Description, Third Party Advisory | |
| cve@mitre.org | https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/ | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "5073B5C6-A1A9-4B99-A366-411D0F2055FB", versionEndIncluding: "11.0", versionStartIncluding: "4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.", }, { lang: "es", value: "Una vulnerabilidad de subida de archivos arbitrarios en Progress Sitefinity CMS, desde la versión 4.0 hasta la 11.0, relacionada con la subida de imágenes.", }, ], id: "CVE-2018-17055", lastModified: "2024-11-21T03:53:47.150", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-09-28T00:29:02.587", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-06-16 21:15
Modified
2024-11-21 07:53
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Summary
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/52035 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/52035 | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "290E16EC-92A8-406F-96BE-90E6149E0A34", versionEndExcluding: "15.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.", }, { lang: "es", value: "Progress Sitefinity anterior a 15.0.0 permite XSS por parte de usuarios autenticados a través del formulario de contenido en el Editor SF.", }, ], id: "CVE-2023-27636", lastModified: "2024-11-21T07:53:18.780", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 3.7, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-06-16T21:15:50.620", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "https://www.exploit-db.com/exploits/52035", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://aldisaw.id/security/2024/06/03/CVE-2023-27636.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://www.exploit-db.com/exploits/52035", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-12 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 9.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.", }, { lang: "es", value: "Progress Sitefinity 9.1 tiene XSS mediante la subida de archivos, debido a que el código JavaScript en un archivo HTML tiene el mismo origen que el propio código de la aplicación. Esto se ha solucionado en la versión 10.1.", }, ], id: "CVE-2017-18176", lastModified: "2024-11-21T03:19:29.450", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-12T14:29:00.270", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-28 12:15
Modified
2024-12-16 21:05
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Potential Cross-Site Scripting (XSS) in the page editing area.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "9876A2DA-78C4-4939-A78C-E5F328F3B8BA", versionEndExcluding: "13.3.7649", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "AEDEE388-0A95-4EB3-8A7C-FDF0076DEF00", versionEndExcluding: "14.4.8135", versionStartIncluding: "14.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "E623CD0A-766F-404D-B163-B17FDD9D0518", versionEndExcluding: "15.0.8227", versionStartIncluding: "15.0.8200", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Potential Cross-Site Scripting (XSS) in the page editing area.", }, { lang: "es", value: "Posible Cross-Site Scripting (XSS) en el área de edición de páginas.", }, ], id: "CVE-2024-1636", lastModified: "2024-12-16T21:05:49.493", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "security@progress.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-28T12:15:47.097", references: [ { source: "security@progress.com", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, { source: "security@progress.com", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, ], sourceIdentifier: "security@progress.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@progress.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-06-06 17:29
Modified
2024-11-21 04:47
Severity ?
Summary
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "277BD71B-6CE3-435B-8BA8-3F1EBB02E76C", versionEndExcluding: "7.0.5143", versionStartIncluding: "7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "24A8ADA8-5742-4141-940A-B7ED1AF319F8", versionEndExcluding: "7.1.5243", versionStartIncluding: "7.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "422E03B1-714E-4F25-8CE9-48682C867DA1", versionEndExcluding: "7.2.5353", versionStartIncluding: "7.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "D8E20A20-7522-4DA7-AB34-0C6DC8FC74CA", versionEndExcluding: "7.3.5693", versionStartIncluding: "7.3", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "B4700637-9C9E-4F5A-9844-BF2F3303102A", versionEndExcluding: "8.0.5773", versionStartIncluding: "8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "D756D511-7699-4951-8456-DDF43B2592A4", versionEndExcluding: "8.1.5863", versionStartIncluding: "8.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "030764BB-4532-4AD0-AE89-8AD06C07AE0E", versionEndExcluding: "8.2.5973", versionStartIncluding: "8.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "594F2749-3088-46A7-BBE6-6A490722D059", versionEndExcluding: "9.0.6063", versionStartIncluding: "9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "2A9A4720-84A1-4CF1-96F6-F7DDE3031599", versionEndExcluding: "9.1.6183", versionStartIncluding: "9.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "5D871475-D354-439A-BFD1-3238F68FC2AA", versionEndExcluding: "9.2.6274", versionStartIncluding: "9.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "EE8C4C3B-C0E5-44FE-AAA9-B0C0C930DB6A", versionEndExcluding: "10.0.6429", versionStartIncluding: "10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "FCC9A73D-572F-41B1-9830-C069FBA63DA7", versionEndIncluding: "10.1.6540", versionStartIncluding: "10.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "4D640141-AD94-4FBE-9655-0DBEB5F7E485", versionEndExcluding: "10.2.6649", versionStartIncluding: "10.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "E43A58F8-5134-43E0-81DA-F38956671F3B", versionEndExcluding: "11.0.6736", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "9DCABE1C-030E-4097-99BA-A7D40039C497", versionEndExcluding: "11.1.6826", versionStartIncluding: "11.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "65D928E7-F706-4101-899F-DCA0BF1FC459", versionEndExcluding: "11.2.6929", versionStartIncluding: "11.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.", }, { lang: "es", value: "Progress Sitefinity 10.1.6536 no invalida las cookies de sesión al cerrar la sesión. En su lugar, intenta sobrescribir la cookie en el navegador, pero sigue siendo válida en el lado del servidor. Esto significa que la cookie se puede reutilizar para mantener el acceso a la cuenta, incluso si se cambian las credenciales y los permisos de la cuenta.", }, ], id: "CVE-2019-7215", lastModified: "2024-11-21T04:47:45.963", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-06-06T17:29:00.383", references: [ { source: "cve@mitre.org", url: "https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-For-Resolving-Security-Vulnerabilities-May-2019", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-613", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-12 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 9.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.", }, { lang: "es", value: "Progress Sitefinity 9.1 tiene XSS mediante los campos Last name, First name y About en la página de creación de nuevo usuario. Esto se ha solucionado en la versión 10.1.", }, ], id: "CVE-2017-18177", lastModified: "2024-11-21T03:19:29.607", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-12T14:29:00.317", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-12 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 9.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.", }, { lang: "es", value: "Authenticate/SWT en Progress Sitefinity 9.1 tiene un problema de redirección abierta en el que un token de autenticación se envía al destinatario de la redirección, siempre y cuando el objetivo se especifique empleando una sintaxis %40 en concreto. Esto se ha solucionado en la versión 10.1.", }, ], id: "CVE-2017-18178", lastModified: "2024-11-21T03:19:29.753", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-12T14:29:00.367", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-12 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 9.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.", }, { lang: "es", value: "Progress Sitefinity 9.1 tiene XSS mediante Content Management Template Configuration (también llamado Templateconfiguration), tal y como demuestra el atributo src de un elemento IMG. Esto se ha solucionado en la versión 10.1.", }, ], id: "CVE-2017-18175", lastModified: "2024-11-21T03:19:29.300", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-12T14:29:00.210", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-20 14:15
Modified
2024-11-21 08:44
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "79902E4E-BC20-41EE-9DA9-66B9325DB92D", versionEndExcluding: "13.3.7648", versionStartIncluding: "4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "41EA756F-BDCE-45CA-BC14-A4090A20F842", versionEndExcluding: "14.1.7828", versionStartIncluding: "14.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "27BE39A8-96AD-4427-B962-100339B39F8B", versionEndExcluding: "14.2.7932", versionStartIncluding: "14.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "9D7BDC13-4790-458C-8F62-8EEC3CE9D5A4", versionEndExcluding: "14.3.8029", versionStartIncluding: "14.3", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "26A406A7-9F09-4C33-8522-CE37237B3447", versionEndExcluding: "14.4.8133", versionStartIncluding: "14.4", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "CB227901-D62B-48D7-BC82-CE38D6D26535", versionEndExcluding: "15.0.8223", versionStartIncluding: "15.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n", }, { lang: "es", value: "Un usuario malintencionado podría utilizar el sistema Sitefinity para la distribución de correos electrónicos de phishing.", }, ], id: "CVE-2023-6784", lastModified: "2024-11-21T08:44:33.280", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "security@progress.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-20T14:15:22.793", references: [ { source: "security@progress.com", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023", }, { source: "security@progress.com", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, ], sourceIdentifier: "security@progress.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "security@progress.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-12 14:29
Modified
2024-11-21 03:19
Severity ?
Summary
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 9.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.", }, { lang: "es", value: "Progress Sitefinity 9.1 emplea wrap_access_token como token de autenticación sin caducidad que sigue siendo válido tras un cambio de contraseña o una finalización de sesión. Además, se transmite como parámetro GET. Esto se ha solucionado en la versión 10.1.", }, ], id: "CVE-2017-18179", lastModified: "2024-11-21T03:19:29.917", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-12T14:29:00.427", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-10 15:15
Modified
2025-02-12 15:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "50BB226D-409D-4549-931E-D6668E27CDDE", versionEndExcluding: "13.3.7646", versionStartIncluding: "13.3", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "6FA25F74-CF2D-4126-91F3-F60C27699AF9", versionEndExcluding: "14.0.7736", versionStartIncluding: "14.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "C672393B-15D3-4D0B-AA66-FA741EE74A60", versionEndExcluding: "14.1.7826", versionStartIncluding: "14.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "280EAD40-FC61-4DFC-9B4D-6600CA48DC05", versionEndExcluding: "14.2.7930", versionStartIncluding: "14.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "80A1112E-32F1-4A99-9517-15EC1BBF3ED3", versionEndExcluding: "14.3.8026", versionStartIncluding: "14.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.", }, ], id: "CVE-2023-29375", lastModified: "2025-02-12T15:15:11.883", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-04-10T15:15:07.310", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-434", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2019-11-26 18:15
Modified
2024-11-21 04:32
Severity ?
Summary
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "24DE62D6-B2DA-4FC0-8499-87BEC5B708FD", versionEndExcluding: "9.1.6185", versionStartIncluding: "9.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "A6F1B054-D1ED-4C4D-BD13-E45C9ADA6334", versionEndExcluding: "9.2.6276", versionStartIncluding: "9.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "6394DFD0-9003-4EA1-924D-7998952B9ACE", versionEndExcluding: "10.0.6431", versionStartIncluding: "10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "C3B0CD2B-5682-41F3-8BFF-8E9D8CE3B8C1", versionEndExcluding: "10.1.6542", versionStartIncluding: "10.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "49939784-741E-45F2-B464-8E70657DE6AC", versionEndIncluding: "10.2.6651", versionStartIncluding: "10.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "31EF4B77-881F-4D7C-A682-D33715529106", versionEndIncluding: "11.0.6739", versionStartIncluding: "11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "B83FA0DE-D7C7-4ABB-B690-891C84C57F35", versionEndIncluding: "11.1.6828", versionStartIncluding: "11.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "7F120DE8-80E6-48F7-B7D0-AFE5EBFE2A76", versionEndIncluding: "11.2.6934", versionStartIncluding: "11.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "28C12336-9006-4233-A073-20DE08E09F28", versionEndIncluding: "12.0.7032", versionStartIncluding: "12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "51135FAE-3AD9-484A-9181-705AFA658170", versionEndIncluding: "12.1.7128", versionStartIncluding: "12.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.", }, { lang: "es", value: "Progress Sitefinity versión 12.1, tiene un mecanismo de recuperación de contraseña débil para una contraseña olvidada porque el encabezado de Host de HTTP es manejado inapropiadamente.", }, ], id: "CVE-2019-17392", lastModified: "2024-11-21T04:32:14.917", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-11-26T18:15:15.600", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-640", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-28 12:15
Modified
2024-12-16 21:04
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "9876A2DA-78C4-4939-A78C-E5F328F3B8BA", versionEndExcluding: "13.3.7649", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "AEDEE388-0A95-4EB3-8A7C-FDF0076DEF00", versionEndExcluding: "14.4.8135", versionStartIncluding: "14.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "E623CD0A-766F-404D-B163-B17FDD9D0518", versionEndExcluding: "15.0.8227", versionStartIncluding: "15.0.8200", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.", }, { lang: "es", value: "Los usuarios con pocos privilegios y con acceso al backend de Sitefinity pueden obtener información confidencial del área administrativa del sitio.", }, ], id: "CVE-2024-1632", lastModified: "2024-12-16T21:04:13.760", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "security@progress.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-28T12:15:46.253", references: [ { source: "security@progress.com", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, { source: "security@progress.com", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, ], sourceIdentifier: "security@progress.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "security@progress.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-01-08 19:29
Modified
2024-11-21 03:15
Severity ?
Summary
Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | 5.1 | |
| progress | sitefinity | 5.2 | |
| progress | sitefinity | 5.3 | |
| progress | sitefinity | 5.4 | |
| progress | sitefinity | 6.0 | |
| progress | sitefinity | 6.1 | |
| progress | sitefinity | 6.2 | |
| progress | sitefinity | 6.3 | |
| progress | sitefinity | 7.0 | |
| progress | sitefinity | 7.1 | |
| progress | sitefinity | 7.2 | |
| progress | sitefinity | 7.3 | |
| progress | sitefinity | 8.0 | |
| progress | sitefinity | 8.1 | |
| progress | sitefinity | 8.2 | |
| progress | sitefinity | 9.0 | |
| progress | sitefinity | 9.1 | |
| progress | sitefinity | 9.2 | |
| progress | sitefinity | 10.0 | |
| progress | sitefinity | 10.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:5.1:*:*:*:*:*:*:*", matchCriteriaId: "1E7D51DC-4323-4688-909A-F7A91606AAA9", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:5.2:*:*:*:*:*:*:*", matchCriteriaId: "5BA4201A-5E74-4175-8CA7-14E1FF9C919F", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:5.3:*:*:*:*:*:*:*", matchCriteriaId: "1093AEA4-6171-4888-B459-4E556F795647", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:5.4:*:*:*:*:*:*:*", matchCriteriaId: "9FCC0A55-CB11-4E94-8E47-0A01190B3306", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:6.0:*:*:*:*:*:*:*", matchCriteriaId: "0898F18C-75C2-49E4-A0D5-7F8A621BCDF0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:6.1:*:*:*:*:*:*:*", matchCriteriaId: "E6B5D7A1-55C3-4019-B987-3DFB0890A016", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:6.2:*:*:*:*:*:*:*", matchCriteriaId: "8F90C068-F46A-404E-B8C0-61C66E3490E3", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:6.3:*:*:*:*:*:*:*", matchCriteriaId: "7EC9C199-4B1D-475B-A230-382B79FF2E5F", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:7.0:*:*:*:*:*:*:*", matchCriteriaId: "5879E989-5FA5-4B7C-B408-D28BF9A6E475", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:7.1:*:*:*:*:*:*:*", matchCriteriaId: "9A429147-D26F-4D00-82F8-0AB38787F058", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:7.2:*:*:*:*:*:*:*", matchCriteriaId: "A3894214-0F21-4B1A-86B7-5C1C959CEBB2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:7.3:*:*:*:*:*:*:*", matchCriteriaId: "5703FDB2-89F3-4A4D-8CE1-DAB5410364C0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:8.0:*:*:*:*:*:*:*", matchCriteriaId: "9765DA21-E412-4531-8414-5E9909DD7C64", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:8.1:*:*:*:*:*:*:*", matchCriteriaId: "A8A3612F-4F13-496F-BCB7-443B28F83757", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:8.2:*:*:*:*:*:*:*", matchCriteriaId: "B539481B-721D-4711-8547-549D6BF4EFE8", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:9.0:*:*:*:*:*:*:*", matchCriteriaId: "E118E651-D5EA-4A3C-95D3-ABE7A7A410F8", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*", matchCriteriaId: "0F361531-8E0F-42AB-8ECF-541A201438E6", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:9.2:*:*:*:*:*:*:*", matchCriteriaId: "44C5BD02-D8AA-4525-BACA-B4C6C0563A18", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:10.0:*:*:*:*:*:*:*", matchCriteriaId: "0EF7E946-EBF1-45A9-99C7-AF38E5845CE5", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:10.1:*:*:*:*:*:*:*", matchCriteriaId: "252F8F5C-C395-40F6-808C-F278EB21E5A0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.", }, { lang: "es", value: "Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x y 10.x permite que los atacantes remotos omitan la autenticación y que provoquen una denegación de servicio (DoS) en consecuencia en las páginas con carga balanceada o obtengan privilegios mediante vectores relacionados con una criptografía débil.", }, ], id: "CVE-2017-15883", lastModified: "2024-11-21T03:15:24.227", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-01-08T19:29:00.953", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.mnemonic.no/news/2017/vulnerability-finding-sitefinity-cms/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-10 15:15
Modified
2025-02-11 16:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * | |
| progress | sitefinity | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "50BB226D-409D-4549-931E-D6668E27CDDE", versionEndExcluding: "13.3.7646", versionStartIncluding: "13.3", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "6FA25F74-CF2D-4126-91F3-F60C27699AF9", versionEndExcluding: "14.0.7736", versionStartIncluding: "14.0", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "C672393B-15D3-4D0B-AA66-FA741EE74A60", versionEndExcluding: "14.1.7826", versionStartIncluding: "14.1", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "280EAD40-FC61-4DFC-9B4D-6600CA48DC05", versionEndExcluding: "14.2.7930", versionStartIncluding: "14.2", vulnerable: true, }, { criteria: "cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*", matchCriteriaId: "80A1112E-32F1-4A99-9517-15EC1BBF3ED3", versionEndExcluding: "14.3.8026", versionStartIncluding: "14.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.", }, ], id: "CVE-2023-29376", lastModified: "2025-02-11T16:15:38.160", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-04-10T15:15:07.343", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://www.progress.com/sitefinity-cms", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }