Vulnerabilities > Sitecore > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-05-22 CVE-2023-27066 Path Traversal vulnerability in Sitecore Experience Platform
Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.
network
low complexity
sitecore CWE-22
6.5
2019-08-05 CVE-2019-11198 Cross-site Scripting vulnerability in Sitecore CMS
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog.
network
low complexity
sitecore CWE-79
6.1
2019-07-17 CVE-2019-13493 Cross-site Scripting vulnerability in Sitecore Experience Platform 9.0
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager.
network
low complexity
sitecore CWE-79
5.4
2017-07-19 CVE-2017-11440 Path Traversal vulnerability in Sitecore CMS 8.2
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
network
low complexity
sitecore CWE-22
4.9
2017-07-19 CVE-2017-11439 Cross-site Scripting vulnerability in Sitecore CMS 8.2
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
network
low complexity
sitecore CWE-79
5.4
2017-06-23 CVE-2017-9356 Cross-site Scripting vulnerability in Sitecore Sitecore.Net 7.1/7.2
Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI.
network
low complexity
sitecore CWE-79
6.1
2017-05-23 CVE-2017-5966 Path Traversal vulnerability in Sitecore CRM 8.1
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter.
network
low complexity
sitecore CWE-22
4.9
2017-05-23 CVE-2017-5965 Unspecified vulnerability in Sitecore CRM 8.1
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname, visiting sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx to upload this archive and extract its contents, and visiting a URI under sitecore/ to execute the .asp file.
local
low complexity
sitecore
6.7
2017-03-19 CVE-2016-8855 Cross-site Scripting vulnerability in Sitecore Experience Platform 8.1
Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev.
network
low complexity
sitecore CWE-79
6.1