Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for Sitefinity by Progress Software Corporation
CVE-2025-1968 (GCVE-0-2025-1968)
Vulnerability from nvd – Published: 2025-04-09 13:33 – Updated: 2026-02-26 18:28
VLAI?
Summary
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
Severity ?
7.7 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
14.0 , ≤ 14.3
(custom)
Affected: 14.4 , < 14.4.8145 (custom) Affected: 15.0 , < 15.0.8231 (custom) Affected: 15.1 , < 15.1.8332 (custom) Affected: 15.2 , < 15.2.8429 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T03:55:30.253793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:29.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.3",
"status": "affected",
"version": "14.0",
"versionType": "custom"
},
{
"lessThan": "14.4.8145",
"status": "affected",
"version": "14.4",
"versionType": "custom"
},
{
"lessThan": "15.0.8231",
"status": "affected",
"version": "15.0",
"versionType": "custom"
},
{
"lessThan": "15.1.8332",
"status": "affected",
"version": "15.1",
"versionType": "custom"
},
{
"lessThan": "15.2.8429",
"status": "affected",
"version": "15.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).\u003cp\u003eThis issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.\u003c/p\u003e"
}
],
"value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60: Reusing Session IDs (Session Replay Attacks)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T13:33:31.450Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-1968",
"datePublished": "2025-04-09T13:33:31.450Z",
"dateReserved": "2025-03-04T17:18:25.818Z",
"dateUpdated": "2026-02-26T18:28:29.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11626 (GCVE-0-2024-11626)
Vulnerability from nvd – Published: 2025-01-07 07:49 – Updated: 2025-01-07 15:37
VLAI?
Summary
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Severity ?
8.4 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
4.0 , ≤ 14.4.8142
(custom)
Affected: 15.0.8200 , ≤ 15.0.8229 (custom) Affected: 15.1.8300 , ≤ 15.1.8327 (custom) Affected: 15.2.8400 , ≤ 15.2.8421 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:37:04.758512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:37:28.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.4.8142",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.0.8229",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.1.8327",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.2.8421",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Progress Sitefinity.\u003cp\u003eThis issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom 15.2.8400 through 15.2.8421\u003c/span\u003e.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T08:41:25.324Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-11626",
"datePublished": "2025-01-07T07:49:01.805Z",
"dateReserved": "2024-11-22T16:46:13.819Z",
"dateUpdated": "2025-01-07T15:37:28.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11625 (GCVE-0-2024-11625)
Vulnerability from nvd – Published: 2025-01-07 07:48 – Updated: 2025-01-07 15:38
VLAI?
Summary
Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Severity ?
7.7 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
4.0 , ≤ 14.4.8142
(custom)
Affected: 15.0.8200 , ≤ 15.0.8229 (custom) Affected: 15.1.8300 , ≤ 15.1.8327 (custom) Affected: 15.2.8400 , ≤ 15.2.8421 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:37:43.488253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:38:00.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.4.8142",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.0.8229",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.1.8327",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.2.8421",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.\u003cp\u003eThis issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom 15.2.8400 through 15.2.8421\u003c/span\u003e.\u003c/p\u003e"
}
],
"value": "Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T08:41:37.639Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-11625",
"datePublished": "2025-01-07T07:48:32.620Z",
"dateReserved": "2024-11-22T16:46:12.566Z",
"dateUpdated": "2025-01-07T15:38:00.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4882 (GCVE-0-2024-4882)
Vulnerability from nvd – Published: 2024-07-08 17:29 – Updated: 2024-08-01 20:55
VLAI?
Title
URL Redirection to Arbitrary Site Exists in Sitefinity
Summary
The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
0 , < 15.1.8322.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4882",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:10:08.363037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:10:23.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Open-Redirect-vulnerability-CVE-2024-4882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "15.1.8322.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions."
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:29:03.986Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Open-Redirect-vulnerability-CVE-2024-4882"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "URL Redirection to Arbitrary Site Exists in Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-4882",
"datePublished": "2024-07-08T17:29:03.986Z",
"dateReserved": "2024-05-14T18:28:08.154Z",
"dateUpdated": "2024-08-01T20:55:10.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1636 (GCVE-0-2024-1636)
Vulnerability from nvd – Published: 2024-02-28 12:05 – Updated: 2024-08-01 19:14
VLAI?
Title
Potential Cross-Site Scripting (XSS) in the page editing area
Summary
Potential Cross-Site Scripting (XSS) in the page editing area.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
13.3.7600 , < 13.3.7649
(semver)
Affected: 14.4.8100 , < 14.4.8135 (semver) Affected: 15.0.8200 , < 15.0.8227 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:sitefinity:13.3.7600:*:*:*:*:*:*:*",
"cpe:2.3:a:progress:sitefinity:14.4.8100:*:*:*:*:*:*:*",
"cpe:2.3:a:progress:sitefinity:15.0.8200:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "sitefinity",
"vendor": "progress",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T19:09:13.452869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T19:14:11.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential Cross-Site Scripting (XSS) in the page editing area."
}
],
"value": "Potential Cross-Site Scripting (XSS) in the page editing area."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-28T12:05:23.082Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential Cross-Site Scripting (XSS) in the page editing area",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1636",
"datePublished": "2024-02-28T12:05:23.082Z",
"dateReserved": "2024-02-19T18:09:55.024Z",
"dateUpdated": "2024-08-01T19:14:11.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1632 (GCVE-0-2024-1632)
Vulnerability from nvd – Published: 2024-02-28 12:04 – Updated: 2024-08-02 19:28
VLAI?
Title
Incorrect access control in the Sitefinity backend
Summary
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
13.3.7600 , < 13.3.7649
(semver)
Affected: 14.4.8100 , < 14.4.8135 (semver) Affected: 15.0.8200 , < 15.0.8227 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1632",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:28:41.072718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:28:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site\u0027s administrative area."
}
],
"value": "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site\u0027s administrative area."
}
],
"impacts": [
{
"capecId": "CAPEC-58",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-58: Restful Privilege Elevation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-28T12:04:45.869Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect access control in the Sitefinity backend",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1632",
"datePublished": "2024-02-28T12:04:45.869Z",
"dateReserved": "2024-02-19T16:26:35.455Z",
"dateUpdated": "2024-08-02T19:28:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6784 (GCVE-0-2023-6784)
Vulnerability from nvd – Published: 2023-12-20 14:00 – Updated: 2024-11-27 20:02
VLAI?
Title
Potential Use of the Sitefinity System for Distribution of Phishing Emails
Summary
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.
Severity ?
4.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
15.0 , < 15.0.8223
(semver)
Affected: 14.4 , < 14.4.8133 (semver) Affected: 14.3 , < 14.3.8029 (semver) Affected: 14.2 , < 14.2.7932 (semver) Affected: 14.1 , < 14.1.7828 (semver) Affected: 13.3 , < 13.3.7648 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T20:02:16.353969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T20:02:36.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "15.0.8223",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "14.4.8133",
"status": "affected",
"version": "14.4",
"versionType": "semver"
},
{
"lessThan": "14.3.8029",
"status": "affected",
"version": "14.3",
"versionType": "semver"
},
{
"lessThan": "14.2.7932",
"status": "affected",
"version": "14.2",
"versionType": "semver"
},
{
"lessThan": "14.1.7828",
"status": "affected",
"version": "14.1",
"versionType": "semver"
},
{
"lessThan": "13.3.7648",
"status": "affected",
"version": "13.3",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n"
}
],
"value": "\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
},
{
"capecId": "CAPEC-163",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-163 Spear Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T14:00:55.962Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential Use of the Sitefinity System for Distribution of Phishing Emails",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6784",
"datePublished": "2023-12-20T14:00:55.962Z",
"dateReserved": "2023-12-13T15:43:43.447Z",
"dateUpdated": "2024-11-27T20:02:36.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1968 (GCVE-0-2025-1968)
Vulnerability from cvelistv5 – Published: 2025-04-09 13:33 – Updated: 2026-02-26 18:28
VLAI?
Summary
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
Severity ?
7.7 (High)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
14.0 , ≤ 14.3
(custom)
Affected: 14.4 , < 14.4.8145 (custom) Affected: 15.0 , < 15.0.8231 (custom) Affected: 15.1 , < 15.1.8332 (custom) Affected: 15.2 , < 15.2.8429 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T03:55:30.253793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:29.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.3",
"status": "affected",
"version": "14.0",
"versionType": "custom"
},
{
"lessThan": "14.4.8145",
"status": "affected",
"version": "14.4",
"versionType": "custom"
},
{
"lessThan": "15.0.8231",
"status": "affected",
"version": "15.0",
"versionType": "custom"
},
{
"lessThan": "15.1.8332",
"status": "affected",
"version": "15.1",
"versionType": "custom"
},
{
"lessThan": "15.2.8429",
"status": "affected",
"version": "15.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).\u003cp\u003eThis issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.\u003c/p\u003e"
}
],
"value": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60: Reusing Session IDs (Session Replay Attacks)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T13:33:31.450Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-1968",
"datePublished": "2025-04-09T13:33:31.450Z",
"dateReserved": "2025-03-04T17:18:25.818Z",
"dateUpdated": "2026-02-26T18:28:29.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11626 (GCVE-0-2024-11626)
Vulnerability from cvelistv5 – Published: 2025-01-07 07:49 – Updated: 2025-01-07 15:37
VLAI?
Summary
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Severity ?
8.4 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
4.0 , ≤ 14.4.8142
(custom)
Affected: 15.0.8200 , ≤ 15.0.8229 (custom) Affected: 15.1.8300 , ≤ 15.1.8327 (custom) Affected: 15.2.8400 , ≤ 15.2.8421 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:37:04.758512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:37:28.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.4.8142",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.0.8229",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.1.8327",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.2.8421",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Progress Sitefinity.\u003cp\u003eThis issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom 15.2.8400 through 15.2.8421\u003c/span\u003e.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T08:41:25.324Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-11626",
"datePublished": "2025-01-07T07:49:01.805Z",
"dateReserved": "2024-11-22T16:46:13.819Z",
"dateUpdated": "2025-01-07T15:37:28.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11625 (GCVE-0-2024-11625)
Vulnerability from cvelistv5 – Published: 2025-01-07 07:48 – Updated: 2025-01-07 15:38
VLAI?
Summary
Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Severity ?
7.7 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
4.0 , ≤ 14.4.8142
(custom)
Affected: 15.0.8200 , ≤ 15.0.8229 (custom) Affected: 15.1.8300 , ≤ 15.1.8327 (custom) Affected: 15.2.8400 , ≤ 15.2.8421 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:37:43.488253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T15:38:00.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThanOrEqual": "14.4.8142",
"status": "affected",
"version": "4.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.0.8229",
"status": "affected",
"version": "15.0.8200",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.1.8327",
"status": "affected",
"version": "15.1.8300",
"versionType": "custom"
},
{
"lessThanOrEqual": "15.2.8421",
"status": "affected",
"version": "15.2.8400",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.\u003cp\u003eThis issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efrom 15.2.8400 through 15.2.8421\u003c/span\u003e.\u003c/p\u003e"
}
],
"value": "Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T08:41:37.639Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-11625",
"datePublished": "2025-01-07T07:48:32.620Z",
"dateReserved": "2024-11-22T16:46:12.566Z",
"dateUpdated": "2025-01-07T15:38:00.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4882 (GCVE-0-2024-4882)
Vulnerability from cvelistv5 – Published: 2024-07-08 17:29 – Updated: 2024-08-01 20:55
VLAI?
Title
URL Redirection to Arbitrary Site Exists in Sitefinity
Summary
The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
0 , < 15.1.8322.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4882",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T20:10:08.363037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T20:10:23.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Open-Redirect-vulnerability-CVE-2024-4882"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "15.1.8322.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions."
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:29:03.986Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Open-Redirect-vulnerability-CVE-2024-4882"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "URL Redirection to Arbitrary Site Exists in Sitefinity",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-4882",
"datePublished": "2024-07-08T17:29:03.986Z",
"dateReserved": "2024-05-14T18:28:08.154Z",
"dateUpdated": "2024-08-01T20:55:10.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1636 (GCVE-0-2024-1636)
Vulnerability from cvelistv5 – Published: 2024-02-28 12:05 – Updated: 2024-08-01 19:14
VLAI?
Title
Potential Cross-Site Scripting (XSS) in the page editing area
Summary
Potential Cross-Site Scripting (XSS) in the page editing area.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
13.3.7600 , < 13.3.7649
(semver)
Affected: 14.4.8100 , < 14.4.8135 (semver) Affected: 15.0.8200 , < 15.0.8227 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:sitefinity:13.3.7600:*:*:*:*:*:*:*",
"cpe:2.3:a:progress:sitefinity:14.4.8100:*:*:*:*:*:*:*",
"cpe:2.3:a:progress:sitefinity:15.0.8200:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "sitefinity",
"vendor": "progress",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T19:09:13.452869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T19:14:11.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential Cross-Site Scripting (XSS) in the page editing area."
}
],
"value": "Potential Cross-Site Scripting (XSS) in the page editing area."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-28T12:05:23.082Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential Cross-Site Scripting (XSS) in the page editing area",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1636",
"datePublished": "2024-02-28T12:05:23.082Z",
"dateReserved": "2024-02-19T18:09:55.024Z",
"dateUpdated": "2024-08-01T19:14:11.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1632 (GCVE-0-2024-1632)
Vulnerability from cvelistv5 – Published: 2024-02-28 12:04 – Updated: 2024-08-02 19:28
VLAI?
Title
Incorrect access control in the Sitefinity backend
Summary
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
13.3.7600 , < 13.3.7649
(semver)
Affected: 14.4.8100 , < 14.4.8135 (semver) Affected: 15.0.8200 , < 15.0.8227 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1632",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:28:41.072718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:28:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "13.3.7649",
"status": "affected",
"version": "13.3.7600",
"versionType": "semver"
},
{
"lessThan": "14.4.8135",
"status": "affected",
"version": "14.4.8100",
"versionType": "semver"
},
{
"lessThan": "15.0.8227",
"status": "affected",
"version": "15.0.8200",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site\u0027s administrative area."
}
],
"value": "Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site\u0027s administrative area."
}
],
"impacts": [
{
"capecId": "CAPEC-58",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-58: Restful Privilege Elevation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-28T12:04:45.869Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect access control in the Sitefinity backend",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1632",
"datePublished": "2024-02-28T12:04:45.869Z",
"dateReserved": "2024-02-19T16:26:35.455Z",
"dateUpdated": "2024-08-02T19:28:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6784 (GCVE-0-2023-6784)
Vulnerability from cvelistv5 – Published: 2023-12-20 14:00 – Updated: 2024-11-27 20:02
VLAI?
Title
Potential Use of the Sitefinity System for Distribution of Phishing Emails
Summary
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.
Severity ?
4.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | Sitefinity |
Affected:
15.0 , < 15.0.8223
(semver)
Affected: 14.4 , < 14.4.8133 (semver) Affected: 14.3 , < 14.3.8029 (semver) Affected: 14.2 , < 14.2.7932 (semver) Affected: 14.1 , < 14.1.7828 (semver) Affected: 13.3 , < 13.3.7648 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:07.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6784",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T20:02:16.353969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T20:02:36.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Sitefinity",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "15.0.8223",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "14.4.8133",
"status": "affected",
"version": "14.4",
"versionType": "semver"
},
{
"lessThan": "14.3.8029",
"status": "affected",
"version": "14.3",
"versionType": "semver"
},
{
"lessThan": "14.2.7932",
"status": "affected",
"version": "14.2",
"versionType": "semver"
},
{
"lessThan": "14.1.7828",
"status": "affected",
"version": "14.1",
"versionType": "semver"
},
{
"lessThan": "13.3.7648",
"status": "affected",
"version": "13.3",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n"
}
],
"value": "\nA malicious user could potentially use the Sitefinity system for the distribution of phishing emails.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
},
{
"capecId": "CAPEC-163",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-163 Spear Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T14:00:55.962Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/sitefinity-cms"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential Use of the Sitefinity System for Distribution of Phishing Emails",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6784",
"datePublished": "2023-12-20T14:00:55.962Z",
"dateReserved": "2023-12-13T15:43:43.447Z",
"dateUpdated": "2024-11-27T20:02:36.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}