CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2019-17392
https://notcve.org/view.php?id=CVE-2019-17392
26 Nov 2019 — Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. Progress Sitefinity versión 12.1, tiene un mecanismo de recuperación de contraseña débil para una contraseña olvidada porque el encabezado de Host de HTTP es manejado inapropiadamente. • https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-November-2019 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18639
https://notcve.org/view.php?id=CVE-2017-18639
06 Nov 2019 — Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title. Progress Sitefinity CMS versiones ant... • https://www.exploit-db.com/exploits/42792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2019-7215
https://notcve.org/view.php?id=CVE-2019-7215
06 Jun 2019 — Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. Progress Sitefinity 10.1.6536 no invalida las cookies de sesión al cerrar la sesión. En su lugar, intenta sobrescribir la cookie en el navegador, pero sigue siendo válida en el lado del servidor. • https://knowledgebase.progress.com/#sort=relevancy&f:%40objecttypelabel=%5BProduct%20Alert%5D • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17053
https://notcve.org/view.php?id=CVE-2018-17053
03 Oct 2018 — Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros ... • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17054
https://notcve.org/view.php?id=CVE-2018-17054
03 Oct 2018 — Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros ... • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17055
https://notcve.org/view.php?id=CVE-2018-17055
28 Sep 2018 — An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Una vulnerabilidad de subida de archivos arbitrarios en Progress Sitefinity CMS, desde la versión 4.0 hasta la 11.0, relacionada con la subida de imágenes. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17056
https://notcve.org/view.php?id=CVE-2018-17056
28 Sep 2018 — Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en ServiceStack en Progress Sitefinity CMS, de la versión 10.2 a la 11.0, permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18175
https://notcve.org/view.php?id=CVE-2017-18175
12 Feb 2018 — Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1. Progress Sitefinity 9.1 tiene XSS mediante Content Management Template Configuration (también llamado Templateconfiguration), tal y como demuestra el atributo src de un elemento IMG. Esto se ha solucionado en la versión 10.1. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18176
https://notcve.org/view.php?id=CVE-2017-18176
12 Feb 2018 — Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1. Progress Sitefinity 9.1 tiene XSS mediante la subida de archivos, debido a que el código JavaScript en un archivo HTML tiene el mismo origen que el propio código de la aplicación. Esto se ha solucionado en la versión 10.1. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18177
https://notcve.org/view.php?id=CVE-2017-18177
12 Feb 2018 — Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1. Progress Sitefinity 9.1 tiene XSS mediante los campos Last name, First name y About en la página de creación de nuevo usuario. Esto se ha solucionado en la versión 10.1. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •