CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
| Vendor | Product | Versions |
|---|---|---|
| progress | sitefinity | 15.2.8400, 15.3.8500, 15.4.8600 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| progress | sitefinity | cert_advisory | 90% |
Updated affected versions to include 15.2.8440, 15.3.8530, and 15.4.8629, changed severity to CRITICAL, and noted that there is no available exploit.
Initial creation