CMS: Updates plug security leaks in Progress Sitefinity
The developers have discovered two security vulnerabilities in Progress' Sitefinity CMS that are classified as high-risk. Updates seal them.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are two security gaps in the Sitefinity content management system (CMS) from Progress. The developers have classified them as high risk. Admins should download and install the available updates as soon as possible.
According to the Progress security release, insufficient filtering of input during website creation in the CMS backend leads to a cross-site scripting vulnerability (CVE-2024-11626, CVSS 8.4, risk “high”). In addition, unauthorized information can flow out, which can be found in error messages of the CMS (CVE-2024-11625, CVSS 7.7, high). However, Progress does not describe exactly what these vulnerabilities look like or how malicious actors can abuse them.
Sitefinity: Affected versions
Sitefinity versions from 4.0 to 14.4.8142, 15.0.8200 to 15.0.8229, 15.1.8300 to 15.1.8327 and 15.2.8400 up to and including 15.2.8421 are affected. For supported versions of Sitefinity, the updates to version 14.4 8143, 15.0 8230, 15.1 8328 and 15.2 8422 close the vulnerabilities.
Videos by heise
The latest version, however, is Progress Sitefinity 15.2 8423, explains the manufacturer. Users of versions that are no longer supported should update their instances to this version, Progress recommends. Progress also provides separate instructions for the update, which also contain information on updating the cloud versions.
The Progress portfolio is very extensive. As a result, there are always products with security vulnerabilities that are attacked in the wild. Progress MoveIt Transfer is the best known example of this. The cyber gang Cl0p used vulnerabilities to steal data from many well-known companies and blackmail them. In mid-November, malicious actors attacked a code-smuggling vulnerability in the Progress Kemp Loadmaster load balancer.
(dmk)
