CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12143
https://notcve.org/view.php?id=CVE-2019-12143
11 Jun 2019 — A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose WS_FTP usernames as well as filenames. Fue descubierto un problema de cruce de directorios en SSHSeverAPI.dll en Progress Ipswitch WS_FTP Server 2018 anterior 8.6.1. un atacante puede suministrar una cadena usando patrones especiales mediante el protocolo SCP para revelar nombres de usuario así como nombre... • https://docs.ipswitch.com/WS_FTP_Server2018/ReleaseNotes/index.htm#49242.htm • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2019-7215
https://notcve.org/view.php?id=CVE-2019-7215
06 Jun 2019 — Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. Progress Sitefinity 10.1.6536 no invalida las cookies de sesión al cerrar la sesión. En su lugar, intenta sobrescribir la cookie en el navegador, pero sigue siendo válida en el lado del servidor. • https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D • CWE-613: Insufficient Session Expiration •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12097
https://notcve.org/view.php?id=CVE-2019-12097
03 Jun 2019 — Telerik Fiddler v5.0.20182.28034 doesn't verify the hash of EnableLoopback.exe before running it, which could lead to code execution or local privilege escalation by replacing the original EnableLoopback.exe. Telerik Fiddler v5.0.20182.28034 no verifica el hash de EnableLoopback.exe antes de ejecutarlo, lo que podría provocar la ejecución del código o la escalada de privilegios locales al reemplazar el EnableLoopback.exe original. • https://vuldb.com/?id.135671 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-17060
https://notcve.org/view.php?id=CVE-2018-17060
08 Oct 2018 — Telerik Extensions for ASP.NET MVC (all versions) does not whitelist requests, which can allow a remote attacker to access files inside the server's web directory. NOTE: this product has been obsolete since June 2013. Telerik Extensions for ASP.NET MVC (todas las versiones) no mete en lista blanca las peticiones, lo que puede permitir que un atacante remoto acceda a archivos en el directorio web del servidor. NOTE: este producto está obsoleto desde junio de 2013. • https://www.telerik.com/support/code-library/security-alert-for-the-obsolete-telerik-extensions-for-asp-net-mvc •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17053
https://notcve.org/view.php?id=CVE-2018-17053
03 Oct 2018 — Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros ... • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17054
https://notcve.org/view.php?id=CVE-2018-17054
03 Oct 2018 — Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros ... • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17055
https://notcve.org/view.php?id=CVE-2018-17055
28 Sep 2018 — An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Una vulnerabilidad de subida de archivos arbitrarios en Progress Sitefinity CMS, desde la versión 4.0 hasta la 11.0, relacionada con la subida de imágenes. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17056
https://notcve.org/view.php?id=CVE-2018-17056
28 Sep 2018 — Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en ServiceStack en Progress Sitefinity CMS, de la versión 10.2 a la 11.0, permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14037 – Progress Kendo UI Editor 2018.1.221 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-14037
27 Sep 2018 — Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This... • https://packetstorm.news/files/id/149569 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18175
https://notcve.org/view.php?id=CVE-2017-18175
12 Feb 2018 — Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1. Progress Sitefinity 9.1 tiene XSS mediante Content Management Template Configuration (también llamado Templateconfiguration), tal y como demuestra el atributo src de un elemento IMG. Esto se ha solucionado en la versión 10.1. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •