CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.
Web services in Progress Sitefinity store or transmit credentials in an insufficiently protected manner (Insufficiently Protected Credentials). An attacker without any authentication, operating remotely over the network, is able to read these data in plain-text form. Successful exploitation requires active integration with Sitefinity Insight service and non-default site configuration.
An attacker can obtain plain-text credentials used for communication with Sitefinity Insight, which may enable unauthorized access to associated services and data processed by this integration.
Apply patches available from the vendor according to references published in the Progress Sitefinity security advisory (May 2026). Urgent update to versions not listed in the vulnerable ranges is recommended, along with verification of Sitefinity Insight integration configuration.
Progress Sitefinity in versions: 14.0.7700–14.4.8152, 15.0.8200–15.0.8234, 15.1.8300–15.1.8335, 15.2.8400–15.2.8441, 15.3.8500–15.3.8531 and 15.4.8600–15.4.8630
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NProgress Sitefinity
APPProgress14.0.7700 – 14.4.8152 (bez)15.0.8200 – 15.0.8234 (bez)15.1.8300 – 15.1.8335 (bez)15.2.8400 – 15.2.8441 (bez)15.3.8500 – 15.3.8531 (bez)15.4.8600 – 15.4.8630 (bez)
Related vulnerabilities
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412....
Obejście uwierzytelnienia w Progress Sitefinity — pełny dostęp bez logowania
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1....
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host...
Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication an...