8.8
CVE-2026-7201
- EPSS 0.35%
- Veröffentlicht 02.06.2026 13:07:36
- Zuletzt bearbeitet 04.06.2026 12:42:05
- Quelle security@progress.com
- CVE-Watchlists
- Unerledigt
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Progress ≫ Sitefinity Version >= 15.2.8400 < 15.2.8441
Progress ≫ Sitefinity Version >= 15.3.8500 < 15.3.8531
Progress ≫ Sitefinity Version >= 15.4.8600 < 15.4.8630
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.265 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@progress.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026