Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory for Resolving Security vulnerabilities, November, 2019

« Go Back

Information

 
TitleSecurity Advisory for Resolving Security vulnerabilities, November, 2019
URL NameSecurity-Advisory-for-Resolving-Security-vulnerabilities-November-2019
Article Number000134064
EnvironmentProduct: Sitefinity
Version: 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description
A set of potential security vulnerabilities have been identified in Progress Sitefinity CMS. Below you will find information on the vulnerabilities and list of bugfix rollup patches available per version. If you have questions, please contact Progress Technical Support.
 
  • Reflected XSS vulnerability (Critical) 

Insufficient sanitization of the login request parameters that may lead to Reflected cross-site scripting (XSS).  

  • Host header vulnerability (High)

A malicious user can perform advanced password reset attacks. 

Note: The Host header vulnerability affects only users registered in Sitefinity membership providers. Websites that utilize external membership providers such as Azure AD or LDAP are not vulnerable. 

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release 12.2. This version contains the security fixes from all previous releases.  

The security patches are available for supported Progress Sitefinity CMS versions listed below, with fixes as applicable: 

Sitefinity version 

Patch version 

XSS vulnerability 

Host header vulnerability 

12.1 

 12.1.7128 or later*

✓ 

✓ 

12.0 

 12.0.7032 or later*

✓ 

✓ 

11.2 

 11.2.6934 or later*

✓ 

✓ 

11.1 

 11.1.6828 or later*

✓ 

✓ 

11.0 

 11.0.6739 or later*

✓ 

✓ 

10.2 

 10.2.6651 or later*

✓ 

✓ 

10.1 

 10.1.6542 or later*

✓ 

✓ 

10.0 

 10.0.6431 or later*

✓ 

✓ 

9.2 

 9.2.6276 or later*

Not Vulnerable 

✓ 

9.1 

 9.1.6185 or later*

Not Vulnerable 

✓ 

9.0 

 Not Available 

Not Vulnerable 

Not Available 

8.x 

Not Available 

Not Vulnerable 

Not Available 

7.x 

Not Available 

Not Vulnerable 

Not Available 

6.x 

Not Available 

Not Vulnerable 

Not Available 

5.x 

Not Available 

Not Vulnerable 

Not Available 

Workaround
Notes

*When upgrading, always make sure to upgrade to the latest available PATCH version as per your Sitefinity version. The last two numbers of the patch show the latest available number for the major version, e.g 12.2.72XX 

For more information, see the following resources:

To apply the patch, a complete upgrade should be made, and replacing any specific DLLs is not enough. 

 
Special thanks to Ed Ling, Consultant at Dionach Ltd for identifying and disclosing Host header vulnerability with CVE-2019-17392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17392
Last Modified Date3/11/2020 10:00 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.