CVE-2024-11626
Published: 07 January 2025
Summary
CVE-2024-11626 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Progress Sitefinity. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-11626 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, stemming from improper neutralization of input during CMS backend administrative section web page generation in Progress Sitefinity. The issue affects multiple version ranges of Sitefinity, including from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, and from 15.2.8400 through 15.2.8421. Published on January 7, 2025, it carries a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
Attackers can exploit this vulnerability over the network with low complexity if they have high privileges, such as administrative access to the Sitefinity backend, and can induce user interaction, like clicking a malicious link. Successful exploitation changes scope and enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary scripts in the context of the administrative session.
Progress has issued a security advisory specifically addressing CVE-2024-11626 alongside CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Further details on Sitefinity are provided at https://www.progress.com/sitefinity-cms.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34189
Vulnerability details
Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in admin backend directly enables arbitrary JavaScript execution (T1059.007) and browser session hijacking within authenticated admin context (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents XSS by filtering outputs to web pages, addressing the improper neutralization of input during Sitefinity backend page generation.
Ensures validation of inputs to the CMS backend, mitigating the root cause of unneutralized inputs leading to XSS exploitation.
Requires timely remediation of the specific flaw in Sitefinity versions via vendor patches, eliminating the XSS vulnerability.