Vulnerability Details CVE-2017-18176
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.1%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html
- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html
- https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html
- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html
Products affected by CVE-2017-18176
-
cpe:2.3:a:progress:sitefinity:9.1