CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-7312

CVSS 10.0v3.1pub. 2026-06-02upd. 2026-06-04

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.

🤖 AI Analysis
How it works

Web services in Progress Sitefinity store or transmit credentials in an insufficiently protected manner (Insufficiently Protected Credentials). An attacker without any authentication, operating remotely over the network, is able to read these data in plain-text form. Successful exploitation requires active integration with Sitefinity Insight service and non-default site configuration.

Impact

An attacker can obtain plain-text credentials used for communication with Sitefinity Insight, which may enable unauthorized access to associated services and data processed by this integration.

Mitigation & patch

Apply patches available from the vendor according to references published in the Progress Sitefinity security advisory (May 2026). Urgent update to versions not listed in the vulnerable ranges is recommended, along with verification of Sitefinity Insight integration configuration.

Who is affected

Progress Sitefinity in versions: 14.0.7700–14.4.8152, 15.0.8200–15.0.8234, 15.1.8300–15.1.8335, 15.2.8400–15.2.8441, 15.3.8500–15.3.8531 and 15.4.8600–15.4.8630

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Progress Sitefinity

    APP
    Progress
    14.0.7700 – 14.4.8152 (bez)15.0.8200 – 15.0.8234 (bez)15.1.8300 – 15.1.8335 (bez)15.2.8400 – 15.2.8441 (bez)15.3.8500 – 15.3.8531 (bez)15.4.8600 – 15.4.8630 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2017-9248CRITICAL9.8⚠ KEVten sam produkt

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412....

CVE-2026-7198CRITICAL9.8PL ✓ten sam produkt

Obejście uwierzytelnienia w Progress Sitefinity — pełny dostęp bez logowania

CVE-2023-29375CRITICAL9.8ten sam produkt

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1....

CVE-2019-17392CRITICAL9.8ten sam produkt

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host...

CVE-2017-15883CRITICAL9.8ten sam produkt

Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication an...