CVE-2017-18639
https://notcve.org/view.php?id=CVE-2017-18639
Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title. Progress Sitefinity CMS versiones anteriores a 10.1 permite un ataque de tipo XSS mediante /Pages Parámetro : Page Title, /Content/News Parámetro : News Title, /Content/List Parámetro : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parámetro : Document Title, /Content/Images/LibraryImages/newsimages Parámetro : Image Title, /Content/links Parámetro : Link Title, /Content/links Parámetro : Link Title, o /Content/Videos/LibraryVideos/default-video-library Parámetro : Video Title. • https://www.exploit-db.com/exploits/42792 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17054
https://notcve.org/view.php?id=CVE-2018-17054
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros de petición de inicio de sesión. Esta vulnerabilidad es diferente de CVE-2018-17053. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-17053
https://notcve.org/view.php?id=CVE-2018-17053
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054. Una vulnerabilidad Cross-Site Scripting (XSS) en Identity Server en Progress Sitefinity CMS, de la versión 10.0 a la 11.0, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con parámetros de petición de inicio de sesión. Esta vulnerabilidad es diferente de CVE-2018-17054. • https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9140
https://notcve.org/view.php?id=CVE-2017-9140
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. Fue encontrada una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el archivo Telerik.ReportViewer.WebForms.dll en Telerik Reporting para el control Report Viewer de ASP.NET WebForms anterior a R1 2017 SP2 versión (11.0.17.406) permite a los atacantes remotos inyectar un script web o HTML arbitrario por medio del parámetro bgColor hacia Telerik.ReportViewer.axd. • http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-%28version-11-0-17-406%29 https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018 https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •