Progress Sitefinity Web Services Insufficiently Protected Credentials Vulnerability

A vulnerability allowing remote authenticated attackers to obtain plain-text credentials used to connect to the Sitefinity Insight service has been identified in Progress Sitefinity. This issue affects versions 8.0.5700 prior to 13.3.7652. The vulnerability arises from insufficient protection of credentials in web services, specifically in ServiceStack web services. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration, and valid back-end authorization.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of plain-text credentials, which could be misused to access the Sitefinity Insight service.

Remediation

Progress Sitefinity has released product updates for all supported versions. Users are advised to update to the latest version, which is 15.4.8631. For instructions on how to apply the update, refer to the Progress Sitefinity Knowledge Base Article on updating Sitefinity.