CVE-2023-6784: 
Progress Sitfinity vulnerability analysis and mitigation

A security vulnerability (CVE-2023-6784) was discovered in Progress Sitefinity, affecting versions from 4.0 up to (excluding) 13.3.7648, 14.1 up to 14.1.7828, 14.2 up to 14.2.7932, 14.3 up to 14.3.8029, 14.4 up to 14.4.8133, and 15.0 up to 15.0.8223. The vulnerability was disclosed in December 2023 and allows malicious users to potentially use the Sitefinity system for the distribution of phishing emails (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Progress Software Corporation assessed it with a slightly higher CVSS score of 4.7 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The vulnerability is associated with CWE-20 (Improper Input Validation) (NVD).

The vulnerability enables malicious users to potentially exploit the Sitefinity system for distributing phishing emails, which could lead to social engineering attacks against system users (NVD).

Progress Software has released patched versions addressing this vulnerability. Users should upgrade to versions 13.3.7648, 14.1.7828, 14.2.7932, 14.3.8029, 14.4.8133, or 15.0.8223 or later depending on their current version (NVD).