CVE-2024-11625
Published: 07 January 2025
Summary
CVE-2024-11625 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Progress Sitefinity. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-11625 is an Information Exposure Through an Error Message vulnerability (CWE-209) in Progress Software Corporation's Sitefinity content management system. It affects Sitefinity versions from 4.0 through 14.4.8142, 15.0.8200 through 15.0.8229, 15.1.8300 through 15.1.8327, and 15.2.8400 through 15.2.8421. The vulnerability has a CVSS v3.1 base score of 7.7 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L, indicating network accessibility, high attack complexity, no privileges or user interaction required, and impacts of high confidentiality and integrity loss alongside low availability disruption.
Unauthenticated remote attackers can exploit this vulnerability over the network by triggering specific error conditions that disclose sensitive information through error messages. Successful exploitation enables high confidentiality impact by exposing potentially sensitive data, high integrity impact through possible manipulation enabled by the leaked information, and low availability impact, though it requires sophisticated techniques due to the high complexity rating.
Progress Software has issued a security advisory detailing mitigation for CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Additional resources on Sitefinity are at https://www.progress.com/sitefinity-cms. Security practitioners should review the advisory for patching instructions and apply updates to affected versions promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34187
Vulnerability details
Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing web app (T1190) resulting in sensitive system/configuration data disclosure via error messages (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring error handling that prevents disclosure of sensitive information through error messages.
Ensures timely remediation of the specific flaw in Sitefinity that exposes sensitive data via error messages.
Filters system outputs, including error messages, to prevent unauthorized exposure of sensitive information to unauthenticated attackers.