CVE-2019-12440
https://notcve.org/view.php?id=CVE-2019-12440
The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service. El complemento Sitecore Rocks anterior a versión 2.1.149 para Sitecore permite a un actor de amenazas no autorizado inyectar comandos y códigos maliciosos por medio del servicio Sitecore Rocks Hard Rocks. • https://github.com/Sitecore/Sitecore.Rocks/compare/be79dcc...bd9ba6a https://github.com/Sitecore/Sitecore.Rocks/releases/tag/2.1.149 https://kb.sitecore.net/articles/842902 • CWE-287: Improper Authentication •
CVE-2018-7669 – Sitecore.Net 8.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2018-7669
An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack. • https://www.exploit-db.com/exploits/45152 https://github.com/palaziv/CVE-2018-7669 http://seclists.org/fulldisclosure/2018/Apr/47 https://kb.sitecore.net/articles/356221 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-11440
https://notcve.org/view.php?id=CVE-2017-11440
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. En Sitecore versión 8.2, se presenta un salto de ruta (path) de acceso absoluto por medio del parámetro fi del archivo shell/Applications/Layouts/IDE.aspx y el parámetro Reference del archivo admin/LinqScratchPad.aspx. • https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-11439
https://notcve.org/view.php?id=CVE-2017-11439
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter. En Sitecore versión 8.2, se presenta un problema de tipo XSS reflejado del parámetro Program del archivo shell/Applications/Tools/Run. • https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9356
https://notcve.org/view.php?id=CVE-2017-9356
Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI. Sitecore.NET 7.1 hasta la versión 7.2 tiene una vulnerabilidad de Cross-Site Scripting (XSS) mediante el parámetro searchStr en el URI /Search-Results. • http://seclists.org/bugtraq/2017/Jun/43 http://www.securityfocus.com/bid/99239 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •