vendor:
Sitecore Experience Platform
by:
Owais Mehtab
5.4
CVSS
MEDIUM
Cross-site Scripting (XSS)
79
CWE
Product Name: Sitecore Experience Platform
Affected Version From: 9.0 rev. 171002
Affected Version To: 9.0 rev. 171002
Patch Exists: YES
Related CWE: CVE-2019-13493
CPE: a:sitecore:sitecore_experience_platform:9.0
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Windows
2019
Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
Mitigation:
Validate user input, Sanitize user input, Use a web application firewall
