CVE-2025-1968: 
Progress Sitfinity vulnerability analysis and mitigation

An Insufficient Session Expiration vulnerability (CVE-2025-1968) was discovered in Progress Software Corporation's Sitefinity platform. The vulnerability was disclosed on April 9, 2025, affecting multiple versions of Sitefinity including versions 14.0 through 14.3, 14.4 before 14.4.8145, 15.0 before 15.0.8231, 15.1 before 15.1.8332, and 15.2 before 15.2.8429. Under specific and uncommon circumstances, the vulnerability allows attackers to reuse Session IDs, potentially enabling Session Replay Attacks (NVD Database).

The vulnerability has been assigned CWE-613 (Insufficient Session Expiration) classification. According to the CVSS 3.1 scoring system, it received a Base Score of 7.7 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L. This scoring indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges or user interaction, and can result in high impacts to both confidentiality and integrity, with low impact to availability (NVD Database).

The vulnerability's exploitation could lead to significant security breaches through session replay attacks. With a CVSS score of 7.7 (HIGH), the potential impact includes high levels of unauthorized access to confidential information and system integrity compromise, along with potential minor disruptions to system availability (NVD Database).

Progress Software Corporation has released security updates to address this vulnerability. Organizations using affected versions of Sitefinity should upgrade to the latest patched versions: 14.4.8145 or later for the 14.4 branch, 15.0.8231 or later for the 15.0 branch, 15.1.8332 or later for the 15.1 branch, and 15.2.8429 or later for the 15.2 branch (NVD Database).