Progress Sitefinity

Insufficient Session Expiration in Progress Sitefinity 14–15.2 (before 15.2.8429)
CVE-2025-1968 7.7 - High - April 09, 2025

Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.

Insufficient Session Expiration

Insufficient Expiration in Progress Sitefinity 4.015.2 Session Fixation
CVE-2024-11627 8.1 - High - January 07, 2025

: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Sitefinity XSS in CMS Admin (v4.0-15.2.8421)
CVE-2024-11626 4.8 - Medium - January 07, 2025

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Sitefinity Info Disclosure via Error Msg (4.0-15.2.8421)
CVE-2024-11625 5.3 - Medium - January 07, 2025

Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Open Redirect Vulnerability in Sitefinity CMS 15.x (before 15.1.8321.0)
CVE-2024-4882 - July 08, 2024

The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.

Sitefinity <15.0 XSS via SF Editor Content Form (Auth)
CVE-2023-27636 5.4 - Medium - June 16, 2024

Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.

XSS

Potential XSS in Page Edit Area of Web CMS
CVE-2024-1636 5.4 - Medium - February 28, 2024

Potential Cross-Site Scripting (XSS) in the page editing area.

XSS

Sitefinity Backend Info Disclosure to LowPrivileged Users
CVE-2024-1632 6.5 - Medium - February 28, 2024

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.

Sitefinity CMS Phishing Email Distribution Vulnerability (CVE-2023-6784)
CVE-2023-6784 4.3 - Medium - December 20, 2023

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.

Progress Sitefinity 13.314.3 XSS via Media Libraries (privileged users)
CVE-2023-29376 5.4 - Medium - April 10, 2023

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.

XSS

Progress Sitefinity CVE-2023-29375: File Upload via SharePoint <14.3.8025
CVE-2023-29375 9.8 - Critical - April 10, 2023

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.

Unrestricted File Upload

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password
CVE-2019-17392 - November 26, 2019

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled.

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts
CVE-2019-7215 6.5 - Medium - June 06, 2019

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.

Insufficient Session Expiration

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.
CVE-2018-17055 7.5 - High - September 28, 2018

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.

Unrestricted File Upload

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey
CVE-2017-9248 9.8 - Critical - July 03, 2017

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Insufficiently Protected Credentials