Cross-Site Scripting (XSS) affects Sitefinity < 15.0 - CVE-2023-27636

Disclaimer

This Security Advisory is provided on an “as is” basis and do not imply any kind of guarantee or warranty. Your use of the information in this publication or linked materials is at your own risk.

About Manufacturer

Dedicated to propelling business forward in a technology-driven world, Progress (NASDAQ: PRGS) helps businesses drive faster cycles of innovation, fuel momentum and accelerate their path to success. As the trusted provider of the best products to develop, deploy and manage high-impact applications, Progress enables customers to build the applications and experiences they need, deploy where and how they want and manage it all safely and securely. Hundreds of thousands of enterprises, including 1,700 software companies and 3.5 million developers, depend on Progress to achieve their goals—with confidence

Site: https://www.progress.com/

About the product

Sitefinity CMS is a content management system (CMS) that you use to create, store, manage, and present content on your website. Content and pages in Sitefinity CMS are multilingual and you can use one Sitefinity CMS instance to manage multiple sites that can share content.

Site: https://www.progress.com/documentation/sitefinity-cms

Confirmed vulnerable versions

Progress Sitefinity CMS: Version under 15.0.0.

Summary

In February 2023, Aldi Saputra Wahyudi discovered a vulnerability in the Progress Sitefinity CMS, in the backend of the Sitefinity CMS, all features using SF-Editor are vulnerable to stored Cross-site scripting.

CVE-2023-27636 - Stored Cross-Site Scripting (XSS)

Attacker as lower privilege Victim as Higher privilege

1. Login as an Attacker
2. Go to the function using the SF Editor, go to the news page as example
3. Create or Edit news item
4. On the content form, insert the XSS payload as HTML
5. After the payload is inserted, click on the content form (just click) and publish or save
6. If the victim visits the page with XSS payload, XSS will be triggered

Payload: <iframe src="javascript:alert(document.domain);">

Vulnerability remediation

Progress announced the releases of versions 15.0.0 (Sitefinity CMS), that the previously mentioned vulnerability has been resolved in these updates.

It is important to underline that I (Aldi Saputra Wahyudi) as discoverer. has not conducted new tests nor confirmed the effectiveness of these corrections.

Communication timeline with manufacturer

• February 8, 2023 – Contact over e-mail.
• February 8, 2023 – Progress acknowledge receipt of the e-mail.
• February 14, 2023 – Progress provides a roadmap to fix the issue.
• November 6, 2023 – Progress reports that the vulnerability has been fixed.
• Desember 05, 2023 – Publication Issue
• June 03, 2024 - Public Release