CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17053
https://notcve.org/view.php?id=CVE-2018-17053
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros de petición de inicio de sesión. Esta vulnerabilidad es diferente de CVE-2018-17054. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17056
https://notcve.org/view.php?id=CVE-2018-17056
Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en ServiceStack en Progress Sitefinity CMS, de la versión 10.2 a la 11.0, permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17055
https://notcve.org/view.php?id=CVE-2018-17055
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Una vulnerabilidad de subida de archivos arbitrarios en Progress Sitefinity CMS, desde la versión 4.0 hasta la 11.0, relacionada con la subida de imágenes. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18179
https://notcve.org/view.php?id=CVE-2017-18179
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1. Progress Sitefinity 9.1 emplea wrap_access_token como token de autenticación sin caducidad que sigue siendo válido tras un cambio de contraseña o una finalización de sesión. Además, se transmite como parámetro GET. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html • CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18177
https://notcve.org/view.php?id=CVE-2017-18177
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1. Progress Sitefinity 9.1 tiene XSS mediante los campos Last name, First name y About en la página de creación de nuevo usuario. Esto se ha solucionado en la versión 10.1. • https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •