Cms Security Vulnerabilities and Issues — Cms CVE List

SitecoreCms

8 matches found

CVE•added 2019/05/31 8:11 p.m.•416 views

CVE-2019-9874

CVE-2019-9874 affects Sitecore CMS 7.0–7.2 and Sitecore XP 7.5–8.2 via the Sitecore.Security.AntiCSRF deserialization module. An unauthenticated attacker can trigger remote code execution by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN**, exploiting untrusted data deser...

9.8CVSS9.7AI score0.83857EPSS

In wild

CVE•added 2019/05/31 8:34 p.m.•389 views

CVE-2019-9875

CVE-2019-9875 affects Sitecore CMS/XP, specifically the anti CSRF module. The vulnerability allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter to the Sitecore anti CSRF handler, through versions up to 9.1. The root cause is des...

8.8CVSS8.7AI score0.14154EPSS

In wild

CVE•added 2015/01/13 11:0 a.m.•51 views

CVE-2014-100004

Sitecore CMS up to version 7.0 Update-4 (rev. 140120) is affected by an XSS in the handling of XML Controls exposed via the default URI’s xmlcontrol parameter. The vulnerability allows remote attackers to inject arbitrary web scripts or HTML, with the NVD description noting basic impact of cross-...

4.3CVSS5.9AI score0.02016EPSS

CVE•added 2017/07/19 7:0 a.m.•51 views

CVE-2017-11439

CVE-2017-11439 affects Sitecore 8.2 and is a reflected XSS in the shell/Applications/Tools/Run Program parameter. The vulnerability arises from failure to filter user input, enabling a remote attacker to inject arbitrary script/HTML when the Program parameter is processed. The CNVD/NVD records co...

5.4CVSS5.2AI score0.00604EPSS

Web

CVE•added 2019/08/05 5:13 p.m.•50 views

CVE-2019-11198

Sitecore CMS 9.0.1 and earlier is affected by multiple XSS vulnerabilities. The CVE describes cross-site scripting via nine UI components (List Manager Dashboard, Campaign Creator, Attributes field, Icon Selection, Latitude/Longitude fields, UploadPackage2.aspx, Context menu, Insert from Template...

6.1CVSS6AI score0.0108EPSS

CVE•added 2017/07/19 7:0 a.m.•48 views

CVE-2017-11440

CVE-2017-11440 : In Sitecore 8.2, there is an absolute path traversal vulnerability via the fi parameter in shell/Applications/Layouts/IDE.aspx and the Reference parameter in admin/LinqScratchPad.aspx, enabling an attacker to disclose local files. Multiple connected sources (NVD, CNVD, PrioN/CVEs...

4.9CVSS5.2AI score0.02033EPSS

Web

CVE•added 2009/06/22 8:0 p.m.•47 views

CVE-2009-2163

CVE-2009-2163 affects Sitecore CMS prior to version 6.0.2 Update-1 (090507), specifically the login/default.aspx path where the sc_error parameter can be exploited for cross-site scripting (XSS). The vulnerability allows remote attackers to inject arbitrary HTML/script into a user’s browser withi...

4.3CVSS5.9AI score0.0299EPSS

Web

CVE•added 2009/03/24 2:0 p.m.•40 views

CVE-2009-1055

Mode C: The vulnerability affects Sitecore CMS 5.3.1 rev. 071114 where the web service can disclose security databases and credentials to remote authenticated users via SOAP/XML requests. Root cause is unspecified in the public initial description, but connected Nessus/NVD entries confirm an info...

4CVSS6.7AI score0.01152EPSS