Cross-Site Scripting Vulnerability in Progress Sitefinity Web Application
CVE-2017-18176

5.4MEDIUM

Key Information:

Vendor: Progress
Status: Sitefinity
Vendor: CVE Published:; 12 February 2018

Summary

Progress Sitefinity version 9.1 is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper validation in its file upload functionality. The flaw arises when JavaScript code within uploaded HTML files is executed within the same origin as the application's code, allowing attackers to potentially execute malicious scripts in the context of other users. This vulnerability has been resolved in version 10.1 of the software.

References

https://www.sec-consult.com/en/blog/advisories/multiple-v...

x_refsource_MISC

https://packetstormsecurity.com/files/143894/Progress-Sit...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Feb 12, 2018