CVE-2017-18178 - Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication to

CVE-2017-18178

Summary

Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.

References

https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html

Vulnerable Configurations

cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*
cpe:2.3:a:progress:sitefinity:9.1:*:*:*:*:*:*:*

CVSS

Base:	5.8 (as of 05-03-2018 - 19:57)
Impact:
Exploitability:

CWE

CWE-601

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:N

refmap via4

misc

https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html

Last major update

05-03-2018 - 19:57

Published

12-02-2018 - 14:29

Last modified

05-03-2018 - 19:57