| Max CVSS | 6.5 | Min CVSS | 3.5 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2017-18179 | 6.5 |
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.
|
05-03-2018 - 19:58 | 12-02-2018 - 14:29 | |
| CVE-2017-18175 | 3.5 |
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
|
05-03-2018 - 19:57 | 12-02-2018 - 14:29 | |
| CVE-2017-18178 | 5.8 |
Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.
|
05-03-2018 - 19:57 | 12-02-2018 - 14:29 | |
| CVE-2017-18177 | 3.5 |
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
|
05-03-2018 - 19:17 | 12-02-2018 - 14:29 | |
| CVE-2017-18176 | 3.5 |
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
|
05-03-2018 - 19:03 | 12-02-2018 - 14:29 |