CVE-2024-11626

High

Published: 07 January 2025

Published

07 January 2025

Modified

29 July 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0007 20.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11626 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Progress Sitefinity. Its CVSS base score is 8.4 (High).

Operationally, ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly prevents XSS by filtering outputs to web pages, addressing the improper neutralization of input during Sitefinity backend page generation.

SI-10 Information Input Validation good match

prevent

Ensures validation of inputs to the CMS backend, mitigating the root cause of unneutralized inputs leading to XSS exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in Sitefinity versions via vendor patches, eliminating the XSS vulnerability.

NVD Description

Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Deeper analysisAI

CVE-2024-11626 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, stemming from improper neutralization of input during CMS backend administrative section web page generation in Progress Sitefinity. The issue affects multiple version ranges of Sitefinity, including from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. Published on January 7, 2025, it carries a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

Attackers can exploit this vulnerability over the network with low complexity if they have high privileges, such as administrative access to the Sitefinity backend, and can induce user interaction, like clicking a malicious link. Successful exploitation changes scope and enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary scripts in the context of the administrative session.

Progress has issued a security advisory specifically addressing CVE-2024-11626 alongside CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity are provided at https://www.progress.com/sitefinity-cms.

Details

CWE(s): CWE-79

Affected Products

progress

sitefinity

4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

CVEs Like This One

CVE-2024-11627Same product: Progress Sitefinity

CVE-2024-11625Same product: Progress Sitefinity

CVE-2024-56132Same vendor: Progress

CVE-2025-13447Same vendor: Progress

CVE-2026-4670Same vendor: Progress

CVE-2025-13444Same vendor: Progress

CVE-2024-11628Same vendor: Progress

CVE-2026-3517Same vendor: Progress

CVE-2026-6023Same vendor: Progress

CVE-2024-56135Same vendor: Progress

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025
Vendor Advisory · security@progress.com
https://www.progress.com/sitefinity-cms
Product · security@progress.com