CVE-2023-27636: 
Progress Sitfinity vulnerability analysis and mitigation

Progress Sitefinity versions before 15.0.0 are affected by a Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts via the content form in the SF Editor (NVD, CVE). The vulnerability was discovered in February 2023 and was assigned CVE-2023-27636.

The vulnerability exists in the backend of the Sitefinity CMS, specifically affecting all features that use the SF-Editor component. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated users with lower privileges to inject malicious scripts that can be executed when users with higher privileges view the affected content. This could lead to unauthorized actions being performed in the context of the victim's session (Aldisaw).

The vulnerability has been fixed in Progress Sitefinity version 15.0.0. Organizations using affected versions should upgrade to version 15.0.0 or later to mitigate this security risk (Aldisaw).

Progress acknowledged the vulnerability report on February 8, 2023, and provided a roadmap for fixing the issue on February 14, 2023. The fix was reported as complete on November 6, 2023, with public disclosure following in June 2024 (Aldisaw).