CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-7198

CVSS 9.8v3.1pub. 2026-06-02upd. 2026-06-04

CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.

🤖 AI Analysis
How it works

The access control mechanism in Progress Sitefinity web services does not properly verify the requester's identity, allowing an attacker to bypass required authentication. An attacker can send requests to protected endpoints (web services) directly over the network without providing any credentials. The lack of authentication requirement (CVSS PR:N, UI:N) means that the attack does not require user interaction or possession of an account in the system.

Impact

The attacker gains full access to content and functionality that should be protected, resulting in a complete breach of confidentiality, integrity, and availability of the installed system. In practice, this may mean reading, modifying, or deleting data, as well as potential takeover of the Sitefinity installation.

Mitigation & patch

Progress Sitefinity should be updated to version 15.4.8630 or newer. Detailed instructions are available in the official Progress security bulletin provided in the manufacturer's references.

Who is affected

Progress Sitefinity in versions 15.4.8623 to 15.4.8629 (before version 15.4.8630)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Progress Sitefinity

    APP
    Progress
    15.4.8623 – 15.4.8630 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2017-9248CRITICAL9.8⚠ KEVten sam produkt

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412....

CVE-2026-7312CRITICAL10.0PL ✓ten sam produkt

Progress Sitefinity: ujawnienie danych uwierzytelniających w usługach web

CVE-2023-29375CRITICAL9.8ten sam produkt

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1....

CVE-2019-17392CRITICAL9.8ten sam produkt

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host...

CVE-2017-15883CRITICAL9.8ten sam produkt

Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication an...