Progress Sitefinity Authorization Bypass Vulnerability Allowing Account Modification

A vulnerability allowing authorization bypass through user-controlled keys has been identified in Progress Sitefinity versions 15.2.x prior to 15.2.8441, 15.3.x prior to 15.3.8531, and 15.4.x prior to 15.4.8630. This vulnerability allows remote authenticated attackers to modify the account properties of other users, potentially leading to account compromise. Exploitation requires knowledge of certain values not typically accessible to low-privileged users.

Impact

Exploitation of this vulnerability could result in unauthorized modification of user account properties, potentially leading to account compromise.

Remediation

Progress Sitefinity has released product updates for all supported versions. Users are advised to update to the latest version. For detailed instructions on how to apply the update, refer to the Progress Sitefinity Knowledge Base Article 'How to update Sitefinity to hotfix internal build or a patch'.