Cyber Resilience

CVE-2024-11626

High

Published: 07 January 2025

Published
07 January 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0009 26.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11626 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Progress Sitefinity. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-11626 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, stemming from improper neutralization of input during CMS backend administrative section web page generation in Progress Sitefinity. The issue affects multiple version ranges of Sitefinity, including from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. Published on January 7, 2025, it carries a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

Attackers can exploit this vulnerability over the network with low complexity if they have high privileges, such as administrative access to the Sitefinity backend, and can induce user interaction, like clicking a malicious link. Successful exploitation changes scope and enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary scripts in the context of the administrative session.

Progress has issued a security advisory specifically addressing CVE-2024-11626 alongside CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity are provided at https://www.progress.com/sitefinity-cms.

EU & UK References

Vulnerability details

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS in admin backend directly enables arbitrary JavaScript execution (T1059.007) and browser session hijacking within authenticated admin context (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-11627Same product: Progress Sitefinity
CVE-2024-11625Same product: Progress Sitefinity
CVE-2026-7201Same product: Progress Sitefinity
CVE-2026-7312Same product: Progress Sitefinity
CVE-2026-7195Same product: Progress Sitefinity
CVE-2026-7313Same product: Progress Sitefinity
CVE-2026-7198Same product: Progress Sitefinity
CVE-2025-27279Shared CWE-79
CVE-2025-24541Shared CWE-79
CVE-2024-56036Shared CWE-79

Affected Assets

progress
sitefinity
4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents XSS by filtering outputs to web pages, addressing the improper neutralization of input during Sitefinity backend page generation.

prevent

Ensures validation of inputs to the CMS backend, mitigating the root cause of unneutralized inputs leading to XSS exploitation.

prevent

Requires timely remediation of the specific flaw in Sitefinity versions via vendor patches, eliminating the XSS vulnerability.

References