Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory for Resolving Security vulnerabilities, September, 2019

« Go Back

Information

 
TitleSecurity Advisory for Resolving Security vulnerabilities, September, 2019
URL NameSecurity-Advisory-for-Resolving-Security-vulnerabilities-September-2019
Article Number000139047
EnvironmentProduct: Sitefinity
Version: 8.x, 9.x, 10.x, 11.x, 12.0
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description
A set of potential security vulnerabilities have been identified in Progress Sitefinity CMS. Below you will find a list of bugfix rollup patches per version, which contain fixes for these vulnerabilities. If you have any questions in this regard, please contact Progress Technical Support.     
 

Addressed vulnerabilities: 

  • Reflected XSS vulnerability in Login widget (MVC) 

  • Reflected XSS vulnerability in the backend login  

  • XSS vulnerability in Revision History  

  • XSS vulnerability in Events widget (WebForms) 

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release. 

The security patches are available for supported Progress Sitefinity CMS versions listed below, with fixes as applicable: 

 

Sitefinity Version  

Patch Version  

XSS - Login widget (MVC) 

XSS - backend login  

XSS - Revision History  

XSS -Events widget (WebForms) 

12.0 

 12.0.7029 

✓ 

✓ 

✓ 

✓ 

11.2  

 11.2.6932 

✓ 

✓ 

✓ 

✓ 

11.1  

 11.1.6827 

✓ 

✓ 

✓ 

✓ 

11.0  

 11.0.6738 

✓ 

✓ 

✓ 

✓ 

10.2  

 10.2.6650 

✓ 

✓ 

✓ 

✓ 

10.1  

 10.1.6541 

✓ 

✓ 

✓ 

Not Available*

10.0  

 10.0.6430 

✓ 

✓ 

✓ 

Not Available*

9.2  

 9.2.6275 

✓ 

Not Applicable

Not Applicable

Not Available*

9.1  

 9.1.6184 

✓ 

Not Applicable

Not Applicable

Not Available*

9.0  

 9.0.6064 

✓ 

Not Applicable

Not Applicable

Not Available*

8.2  

 8.2.5974 

✓ 

Not Applicable

Not Applicable

Not Available*


For more information on how to upgrade refer to Progress Article 000076924 How to update Sitefinity to hotfix, internal build or a patch
For more information on where to find the patches refer to Progress Article 000071864 Where to find the hot fix, internal builds and patches for download

*The patch for this specific vulnerability cannot be backported to previous versions due to technical limitations. If affected, upgrade to a higher version that contains the fix.
Workaround
Notes
Last Modified Date11/21/2019 11:34 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.