CVE-2025-1968 - Vulnerability Details

Description

Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.

Published: 2025-04-09

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Progress Software Corporation

Sitefinity

unaffected

Version	Status	Constraints
`14.0`	affected	≤ 14.3
`14.4`	affected	< 14.4.8145
`15.0`	affected	< 15.0.8231
`15.1`	affected	< 15.1.8332
`15.2`	affected	< 15.2.8429

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10436	Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00252.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025

History

Fri, 02 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 09 Apr 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
Weaknesses		CWE-613
References		https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2025-04-09T13:33:31.450Z

Updated: 2026-02-26T18:28:29.081Z

Reserved: 2025-03-04T17:18:25.818Z

Link: CVE-2025-1968

Vulnrichment

Updated: 2025-05-02T15:35:24.951Z

NVD

Status : Awaiting Analysis

Published: 2025-04-09T14:15:27.950

Modified: 2025-04-09T20:02:41.860

Link: CVE-2025-1968

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-613

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object