CVE-2017-18639

MEDIUM

Progress Sitefinity CMS <10.1 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-18639. PoCs published by Pralhad Chaskar.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Progress Sitefinity CMS 9.2 and lower. It lists multiple input fields that are not properly escaped, allowing for XSS attacks.

Description

Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title.

Exploits (1)

exploitdb WRITEUP

by Pralhad Chaskar · textwebappsasp

https://www.exploit-db.com/exploits/42792

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in Progress Sitefinity CMS 9.2 and lower. It lists multiple input fields that are not properly escaped, allowing for XSS attacks.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Progress Sitefinity CMS 9.2 and lower

Auth required

Prerequisites: Access to the vulnerable input fields · Valid credentials to perform POST requests

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/42792

Scores

CVSS v3 6.1

EPSS 0.0089

EPSS Percentile 54.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

progress/sitefinity_cms < 10.1

Published Nov 06, 2019

Tracked Since Feb 18, 2026