CVE-2024-11626
Published: 07 January 2025
Description
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Security Summary
CVE-2024-11626 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, stemming from improper neutralization of input during CMS backend administrative section web page generation in Progress Sitefinity. The issue affects multiple version ranges of Sitefinity, including from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. Published on January 7, 2025, it carries a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
Attackers can exploit this vulnerability over the network with low complexity if they have high privileges, such as administrative access to the Sitefinity backend, and can induce user interaction, like clicking a malicious link. Successful exploitation changes scope and enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary scripts in the context of the administrative session.
Progress has issued a security advisory specifically addressing CVE-2024-11626 alongside CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity are provided at https://www.progress.com/sitefinity-cms.
Details
- CWE(s)