Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025

 


Article

Security Advisory for Resolving Security vulnerabilities, November, 2019

« Go Back

Information

 
Article Number000099710
EnvironmentProduct: Sitefinity
Version: 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description
A set of potential security vulnerabilities have been identified in Progress Sitefinity CMS. Below you will find information on the vulnerabilities and list of bugfix rollup patches available per version. If you have questions, please contact Progress Technical Support.
 
  • Reflected XSS vulnerability (Critical) 

Insufficient sanitization of the login request parameters that may lead to Reflected cross-site scripting (XSS).  

  • Host header vulnerability (High)

A malicious user can perform advanced password reset attacks. 

Note: The Host header vulnerability affects only users registered in Sitefinity membership providers. Websites that utilize external membership providers such as Azure AD or LDAP are not vulnerable. 

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release 12.2. This version contains the security fixes from all previous releases.  

The security patches are available for supported Progress Sitefinity CMS versions listed below, with fixes as applicable: 

Sitefinity version 

Patch version 

XSS vulnerability 

Host header vulnerability 

12.1 

 12.1.7128

✓ 

✓ 

12.0 

 12.0.7032

✓ 

✓ 

11.2 

 11.2.6934 

✓ 

✓ 

11.1 

 11.1.6828 

✓ 

✓ 

11.0 

 11.0.6739 

✓ 

✓ 

10.2 

 10.2.6651 

✓ 

✓ 

10.1 

 10.1.6542

✓ 

✓ 

10.0 

 10.0.6431 

✓ 

✓ 

9.2 

 9.2.6276 

Not Vulnerable 

✓ 

9.1 

 9.1.6185 

Not Vulnerable 

✓ 

9.0 

 Not Available 

Not Vulnerable 

Not Available 

8.x 

Not Available 

Not Vulnerable 

Not Available 

7.x 

Not Available 

Not Vulnerable 

Not Available 

6.x 

Not Available 

Not Vulnerable 

Not Available 

5.x 

Not Available 

Not Vulnerable 

Not Available 

Workaround
Notes

For more information, see the following resources:

To apply the patch, a complete upgrade should be made, and replacing any specific DLLs is not enough. 

 
Special thanks to Ed Ling, Consultant at Dionach Ltd for identifying and disclosing Host header vulnerability with CVE-2019-17392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17392
Attachment 
Last Modified Date12/30/2019 6:53 PM