mnemonic Labs

mnemonic's experts share their views and news on all things security.

Vulnerability discovered in Sitefinity CMS

mnemonic discovers vulnerability affecting Sitefinity

Erlend Leiknes, Security Consultant at mnemonic, identified and disclosed the following vulnerability given CVE id CVE-2017-15883

CVE-2017-15883

A cryptographic weakness was found in Sitefinity, allowing an attacker to bypass authentication.

An exploit may lead to denial of service on load balanced sites and/or may lead to elevation of backend user privileges.

Estimated CVSSv3 Base Score: 8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C

The vulnerability affects Sitefinity versions 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x and 10.x.

Official release notes and security advisory can be found at: https://knowledgebase.progress.com/articles/Article/Sitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883