Progress Sitefinity Improper Input Validation Vulnerability Allowing User Account Compromise

A vulnerability allowing remote, unauthenticated attackers to compromise the integrity and confidentiality of user accounts has been identified in Progress Sitefinity versions 14.1.x through 14.3.x, 14.4.x prior to 14.4.8152, 15.0.x prior to 15.0.8234, 15.1.x prior to 15.1.8335, 15.2.x prior to 15.2.8441, 15.3.x prior to 15.3.8531, and 15.4.x prior to 15.4.8630. This vulnerability arises from improper input validation in web services, specifically in OData web services, and successful exploitation requires user interaction and a non-default site configuration.

Impact

Exploitation of this vulnerability allows for unauthorized compromise of user account integrity and confidentiality.

Remediation

Progress Sitefinity has released product updates for all supported versions. Users are advised to update to the latest version, which is 15.4.8631. For instructions on how to apply the update, refer to the Progress Sitefinity Knowledge Base Article on updating Sitefinity.