CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
The access control mechanism in Progress Sitefinity web services does not properly verify the requester's identity, allowing an attacker to bypass required authentication. An attacker can send requests to protected endpoints (web services) directly over the network without providing any credentials. The lack of authentication requirement (CVSS PR:N, UI:N) means that the attack does not require user interaction or possession of an account in the system.
The attacker gains full access to content and functionality that should be protected, resulting in a complete breach of confidentiality, integrity, and availability of the installed system. In practice, this may mean reading, modifying, or deleting data, as well as potential takeover of the Sitefinity installation.
Progress Sitefinity should be updated to version 15.4.8630 or newer. Detailed instructions are available in the official Progress security bulletin provided in the manufacturer's references.
Progress Sitefinity in versions 15.4.8623 to 15.4.8629 (before version 15.4.8630)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProgress Sitefinity
APPProgress15.4.8623 – 15.4.8630 (bez)
Related vulnerabilities
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412....
Progress Sitefinity: ujawnienie danych uwierzytelniających w usługach web
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1....
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host...
Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication an...