First published: Thu Jun 06 2019(Updated: )
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Progress Sitefinity | >=7.0<7.0.5143 | |
Progress Sitefinity | >=7.1<7.1.5243 | |
Progress Sitefinity | >=7.2<7.2.5353 | |
Progress Sitefinity | >=7.3<7.3.5693 | |
Progress Sitefinity | >=8.0<8.0.5773 | |
Progress Sitefinity | >=8.1<8.1.5863 | |
Progress Sitefinity | >=8.2<8.2.5973 | |
Progress Sitefinity | >=9.0<9.0.6063 | |
Progress Sitefinity | >=9.1<9.1.6183 | |
Progress Sitefinity | >=9.2<9.2.6274 | |
Progress Sitefinity | >=10.0<10.0.6429 | |
Progress Sitefinity | >=10.1<=10.1.6540 | |
Progress Sitefinity | >=10.2<10.2.6649 | |
Progress Sitefinity | >=11.0<11.0.6736 | |
Progress Sitefinity | >=11.1<11.1.6826 | |
Progress Sitefinity | >=11.2<11.2.6929 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-7215 is a vulnerability in Progress Sitefinity 10.1.6536 that allows session cookies to remain valid on the server side even after logout.
CVE-2019-7215 affects Progress Sitefinity versions 10.1.6536 and earlier by not invalidating session cookies upon logouts.
The severity of CVE-2019-7215 is medium with a CVSS score of 6.5.
To fix CVE-2019-7215, it is recommended to update to a version of Progress Sitefinity that is not affected by the vulnerability.
More information about CVE-2019-7215 can be found in the Progress Knowledge Base.