Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory For Resolving Security Vulnerabilities, May 2019

« Go Back

Information

 
TitleSecurity Advisory For Resolving Security Vulnerabilities, May 2019
URL NameSecurity-Advisory-For-Resolving-Security-Vulnerabilities-May-2019
Article Number000116888
EnvironmentProduct: Sitefinity
Version: 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description

A set of potential security vulnerabilities have been identified in Progress Sitefinity CMS. Below you will find information on each vulnerability and list of bugfix rollup patches available per version. If you have questions, please contact Progress Technical Support.     

  • ECommerce PayPal vulnerability 

  • Authentication cookie invalidation  

  • CSRF in WCF services in classic backend UI 

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

For optimal security, we recommend an upgrade to the latest Progress Sitefinity CMS release. 

Remedy is also available for older Progress Sitefinity CMS versions listed below: 

 

Sitefinity Version 

Patch Version 

Ecommerce PayPal vulnerability 

Authentication cookie invalidation 

CSRF in WCF services in classic backend UI 

11.2 

 11.2.6929 

 Fixed 

 Fixed 

 Fixed 

11.1 

 11.1.6826 

 Fixed 

 Fixed 

 Fixed 

11.0 

 11.0.6736 

 Fixed 

 Fixed 

 Fixed 

10.2 

 10.2.6649 

 Fixed 

 Fixed 

 N/A 

10.1 

 10.1.6540 

 Fixed 

 Fixed 

 N/A 

10.0 

 10.0.6429 

 Fixed 

 Fixed 

 N/A 

9.2 

 9.2.6274 

 Fixed 

 Fixed 

 N/A 

9.1 

 9.1.6183 

 Fixed 

 Fixed 

 N/A 

9.0 

 9.0.6063 

 Fixed 

 Fixed 

 N/A 

8.2 

 8.2.5973 

 Fixed 

 Fixed 

 N/A 

8.1 

 8.1.5863 

 Fixed 

 Fixed 

 N/A 

8.0 

 8.0.5773 

 Fixed 

 Fixed 

 N/A 

7.3 

 7.3.5693 

 Fixed 

 Fixed 

 N/A 

7.2 

 7.2.5353 

 Fixed 

 Fixed 

 N/A 

7.1 

 7.1.5243  

 Fixed 

 Fixed 

 N/A 

7.0 

 7.0.5143 

 Fixed 

 Fixed 

 N/A 

 

Workaround
Notes
For more information on how to apply the patch, refer to 
Progress Knowledge Base Article 000076924, How to update Sitefinity to hotfix, internal build or a patch
Last Modified Date7/29/2019 10:06 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.