CVE-2024-1636 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
progress	sitefinity	𝑥 < 13.3.7649
progress	sitefinity	14.0 ≤ 𝑥 < 14.4.8135
progress	sitefinity	15.0.8200 ≤ 𝑥 < 15.0.8227

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
progress	sitefinity	13.3.7600 ≤ 𝑥 < 13.3.7649	ADP
progress	sitefinity	14.4.8100 ≤ 𝑥 < 14.4.8135	ADP
progress	sitefinity	15.0.8200 ≤ 𝑥 < 15.0.8227	ADP

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024

https://www.progress.com/sitefinity-cms

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024

https://www.progress.com/sitefinity-cms