SEC Consult Vulnerability Lab Security Advisory < 20170822-0 >
===
title: Multiple vulnerabilities
product: Progress Sitefinity
vulnerable version: 9.1
fixed version: 10.1
CVE
Advisory: WebClientPrint Processor 2.0: No Validation of TLS Certificates
RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does
not validate TLS certificates when initiating HTTPS connections. Thus, a
man-in-the-middle attacker may intercept and/or modify HTTPS traffic in
Advisory: WebClientPrint Processor 2.0: Unauthorised Proxy Modification
RedTeam Pentesting discovered that attackers can configure a proxy host
and port to be used when fetching print jobs with WebClientPrint
Processor (WCPP). This proxy setting may be distributed via specially
crafted websites
Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs
RedTeam Pentesting discovered that malicious print jobs can be used to
trigger a remote code execution vulnerability in WebClientPrint
Processor (WCPP). These print jobs may be distributed via specially
crafted websites