Primary

Context

Progress Sitefinity Insufficient Session Expiration Vulnerability Allowing Session Fixation

Vulnerability

Patched

A session fixation vulnerability has been identified in Progress Sitefinity, stemming from insufficient session expiration. This issue affects Sitefinity versions 4.0 through 14.4.8142, 15.0.8200 through 15.0.8229, 15.1.8300 through 15.1.8327, and 15.2.8400 through 15.2.8421.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can manipulate a user's session ID, potentially leading to unauthorized access or actions within the application.

Remediation

Progress has released patches for all supported versions. Sitefinity customers are advised to update to version 15.2.8422, 15.1.8328, 15.0.8230 or 14.4.8143. For instructions on applying the update, refer to the Sitefinity patch update guide.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Progress Sitefinity Insufficient Session Expiration Vulnerability Allowing Session Fixation

Vulnerability

Impact

Remediation

Affected Products

Progress Sitefinity

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating