CVE-2024-1636 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
ProgressSoftware	CNA	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Vendor	Product	Version
progress	sitefinity	13.3.7649 < 𝑥 < 13.3.7649
progress	sitefinity	14.4.8135 < 𝑥 < 14.4.8135
progress	sitefinity	15.0.8227 < 𝑥 < 15.0.8227
progress	sitefinity	𝑥 < 13.3.7649
progress	sitefinity	14.0 ≤ 𝑥 < 14.4.8135
progress	sitefinity	15.0.8200 ≤ 𝑥 < 15.0.8227

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024

https://www.progress.com/sitefinity-cms

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024

https://www.progress.com/sitefinity-cms