CVE-2024-11625

CVE-2024-11625 is an Information Exposure Through an Error Message vulnerability (CWE-209) in Progress Software Corporation's Sitefinity content management system. It affects Sitefinity versions from 4.0 through 14.4.8142, 15.0.8200 through 15.0.8229, 15.1.8300 through 15.1.8327, and 15.2.8400 through 15.2.8421. The vulnerability has a CVSS v3.1 base score of 7.7 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L, indicating network accessibility, high attack complexity, no privileges or user interaction required, and impacts of high confidentiality and integrity loss alongside low availability disruption.

Unauthenticated remote attackers can exploit this vulnerability over the network by triggering specific error conditions that disclose sensitive information through error messages. Successful exploitation enables high confidentiality impact by exposing potentially sensitive data, high integrity impact through possible manipulation enabled by the leaked information, and low availability impact, though it requires sophisticated techniques due to the high complexity rating.

Progress Software has issued a security advisory detailing mitigation for CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Additional resources on Sitefinity are at https://www.progress.com/sitefinity-cms. Security practitioners should review the advisory for patching instructions and apply updates to affected versions promptly.