Did this article resolve your question/issue?



Security Advisory for Resolving Security vulnerabilities, September, 2018

« Go Back


TitleSecurity Advisory for Resolving Security vulnerabilities, September, 2018
URL NameSecurity-Advisory-for-Resolving-Security-vulnerabilities-September-2018
Article Number000116476
EnvironmentProduct: Sitefinity
Version: 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.0
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description

Security vulnerabilities were identified in Sitefinity CMS:  

  • XSS Vulnerability in Telerik.ReportViewer (CVE-2017-9140)

The issue is present in Sitefinity versions 4.2 - 11.0

Reflected cross-site scripting (XSS) in Telerik Reporting ASP.NET WebForms Report Viewer affects Sitefinity. The component is used by the eCommerce module to visualize backend reports where the Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML. 

By default, this handler is enabled in the web.config file. This is a potential vector for a phishing attack. 


  • Cross Site Scripting (XSS) in Identity Server  (CVE-2018-17053, CVE-2018-17054)

The issue is present in Sitefinity versions 10.0 - 11.0 

Missing sanitization of the login request parameters could lead to Reflected cross-site scripting (XSS). This is a potential vector for a phishing attack. 

  • Cross-site Scripting (XSS) Vulnerability in Service Stack (CVE-2018-17056)

The issue is presented in Sitefinity versions 10.2 - 11.0

Reflected cross-site scripting (XSS) vulnerability in ServiceStack affects Sitefinity. 

This is a potential vector for a phishing attack. 

  • Arbitrary file upload vulnerability  (CVE-2018-17055)

The issue is present in Sitefinity versions 4.0 - 11.0

In specific scenarios image upload allows the inclusion of malicious files. This is a potential vector for a phishing attack.  


  • Arbitrary Code Execution in Dynamic Linq Parser affects Sitefinity 

The issue is present in Sitefinity versions 4.0 - 11.0

Arbitrary Code Execution in Dynamic Linq Parser can potentially be exploited by privileged users. However, this is a potential threat only and not a proven attack vector. 

Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number


For optimal security, upgrade to the latest version of Sitefinity 11.0 Hotfix or internal build.   


For lower versions, refer to the table below. 

The fixes are cumulative and include the fixes for all the above-mentioned vulnerabilities. 

Sitefinity versionHotfix versionInternal build 
11.0Hotfix 2 - 11.0.6702.011.0.6729.0 
10.2 Hotfix 4 - 10.2.6604.0 10.2.6641.0 
10.1Hotfix 6 - 10.1.6506.010.1.6536.0
10.0Hotfix 7 - 10.0.6415.010.0.6427.0
9.2Hotfix 6 - 9.2.6270.09.2.6271.0
9.1Hotfix 6 - 9.1.6180.09.1.6181.0
9.0Hotfix 6 - 9.0.6060.09.0.6061.0
8.2Hotfix 5 - 8.2.5970.08.2.5971.0
8.1Hotfix 6 - 8.1.5860.08.1.5861.0
8.0Hotfix 5 - 8.0.5770.08.0.5771.0
7.3Hotfix 6 - 7.3.5690.07.3.5691.0
7.2Hotfix 5 - 7.2.5350.07.2.5351.0
7.1Hotfix 3 - 7.1.5240.07.1.5241.0
7.0Hotfix 3 - 7.0.5140.07.0.5141.0
6.3Hotfix 2 - 6.3.5050.06.3.5051.0
6.2Hotfix 3 - 6.2.4930.0Not available
6.1Hotfix 2 - 6.1.4720.0Not available
6.0Hotfix 3 - 6.0.4230.0Not available
The following information is only regarding XSS Vulnerability in Telerik.ReportViewer: 
Projects not using the e-commerce module can safely remove the handler from the web.config file. The rest should apply the hotfix.
Remove the following lines from the web.config:
<add verb="*" path="Telerik.ReportViewer.axd" type="Telerik.ReportViewer.WebForms.HttpHandler, Telerik.ReportViewer.WebForms" />
<add name="Telerik.ReportViewer.axd_*" verb="*" preCondition="integratedMode" path="Telerik.ReportViewer.axd" type="Telerik.ReportViewer.WebForms.HttpHandler, Telerik.ReportViewer.WebForms" />
Reference: XSS Vulnerability in Telerik.ReportViewer 

The provided workaround does not apply for the other 4 issues. 
 How to update Sitefinity to hotfix, internal build or a patch

Thanks to Ali Hardudi, a Security Analyst at ERNW GmbH for identifying and disclosing XSS Vulnerability in Identity Server,  (XSS) Vulnerability in Service Stack and Arbitrary file upload vulnerability

Last Modified Date11/20/2020 7:06 AM
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.