Description
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
Published: 2026-06-02
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Progress Software Sitefinity exposes plain‑text credentials used to connect to the Sitefinity Insight service through its web services. A remote attacker who is authenticated and has access to a site with active Service Insight integration can retrieve these credentials, potentially allowing further compromise of back‑end systems. The weakness is a form of insufficiently protected credentials, which leads to a loss of confidentiality and the risk of unauthorized access to the Insight service.

Affected Systems

Sitefinity versions from 8.0.5700 up to 13.3.7652 are affected. The vulnerability requires a non‑default site configuration, active Service Insight integration and valid back‑end authorization. All systems running versions within this range that meet those conditions must be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity level. Exploitation requires an authenticated session on the target web service, meaning the attacker must first acquire valid credentials to the Sitefinity portal. The EPSS score is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the high CVSS and the ability to retrieve plain‑text credentials make it a serious risk for organizations that rely on Sitefinity Insight for analytics or other back‑end services. The attacker can use the stolen credentials to access the Insight service or potentially pivot to other systems in the network depending on the scope of the Insight integration.

Generated by OpenCVE AI on June 2, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Progress Sitefinity security patch that addresses CVE-2026-7313.
  • If a patch is not available, disable or remove the Sitefinity Insight integration until remediation is applied.
  • Ensure that any credentials used by the Insight service are stored securely, for example by encrypting them in configuration files or using a protected credential store.

Generated by OpenCVE AI on June 2, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-522

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization.
Title CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-02T15:10:00.446Z

Reserved: 2026-04-28T12:53:37.183Z

Link: CVE-2026-7313

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:17:14.577

Modified: 2026-06-02T14:37:13.613

Link: CVE-2026-7313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses