Description
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://insinuator.net/2018/10/vulnerabilities-in-sitefinity-wcms-a-success-story-of-a-responsible-disclosure-process/
Vendor Advisory x_refsource_confirm
https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018
Scores
CVSS v3
6.1
EPSS
0.0007
EPSS Percentile
20.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
progress/sitefinity_cms
10.0 - 11.0
Published
Oct 03, 2018
Tracked Since
Feb 18, 2026