Volerion logoVolerion
Volerion logoVolerion

Progress Sitefinity Insufficient Session Expiration Vulnerability Allowing Session Replay Attacks

Vulnerability

A vulnerability allowing session replay attacks has been identified in Progress Sitefinity versions 14.0 through 14.3, 14.4 prior to 14.4.8145, 15.0 prior to 15.0.8231, 15.1 prior to 15.1.8332, and 15.2 prior to 15.2.8429. This issue arises from insufficient session expiration in certain administrative views, under specific and uncommon circumstances, which allows for the reuse of Session IDs.

Impact

The vulnerability could lead to unauthorized reuse of session IDs, allowing for session replay attacks where an attacker could impersonate a user by reusing a valid session ID.

Remediation

Progress Sitefinity has released patches for all supported versions. Users are advised to update to the latest version. For instructions on how to apply the update, refer to the Progress Sitefinity Knowledge Base Article on updating Sitefinity to a patch.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.3
exploitability
7.6
remediation
7.7
relevance
0.0
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.