cbcvebase.
CVE-2019-7215
published 2019-06-06

CVE-2019-7215: Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid…

PriorityP431medium6.5CVSS 3.0
AVNACLPRNUINSUCLILAN
EPSS
0.93%
56.0th percentile
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed.

Affected

16 ranges
VendorProductVersion rangeFixed in
progresssitefinity>= 10.0 < 10.0.642910.0.6429
progresssitefinity10.1 – 10.1.6540
progresssitefinity>= 10.2 < 10.2.664910.2.6649
progresssitefinity>= 11.0 < 11.0.673611.0.6736
progresssitefinity>= 11.1 < 11.1.682611.1.6826
progresssitefinity>= 11.2 < 11.2.692911.2.6929
progresssitefinity>= 7.0 < 7.0.51437.0.5143
progresssitefinity>= 7.1 < 7.1.52437.1.5243
progresssitefinity>= 7.2 < 7.2.53537.2.5353
progresssitefinity>= 7.3 < 7.3.56937.3.5693
progresssitefinity>= 8.0 < 8.0.57738.0.5773
progresssitefinity>= 8.1 < 8.1.58638.1.5863
progresssitefinity>= 8.2 < 8.2.59738.2.5973
progresssitefinity>= 9.0 < 9.0.60639.0.6063
progresssitefinity>= 9.1 < 9.1.61839.1.6183
progresssitefinity>= 9.2 < 9.2.62749.2.6274

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.