Progress Sitefinity Insufficiently Protected Credentials Vulnerability in Web Services

A vulnerability allowing remote unauthenticated attackers to access plain-text credentials for the Sitefinity Insight service has been identified in Progress Sitefinity. This issue affects versions 14.0.7700 to 14.4.8152, 15.0.8200 to 15.0.8234, 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630. The vulnerability arises from insufficient protection of credentials in web services, specifically OData and ServiceStack, and requires active integration with Sitefinity Insight and a non-default site configuration for exploitation.

Impact

Successful exploitation allows remote unauthenticated attackers to obtain plain-text credentials used to connect to the Sitefinity Insight service.

Remediation

Progress Sitefinity has released product updates for all supported versions. Users are advised to update to the latest version, 15.4.8631, and can refer to the Progress Sitefinity update guide for instructions on applying the update.