CVE-2019-9874
KEVSitecore CMS and Experience Platform (XP) Deserialization Vulnerability
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
References
cve@mitre.org
https://dev.sitecore.net/Downloads.aspxcve@mitre.org
https://www.synacktiv.com/blog.htmlaf854a3a-2127-422b-91ae-364da2661108
https://dev.sitecore.net/Downloads.aspxaf854a3a-2127-422b-91ae-364da2661108
https://www.synacktiv.com/blog.htmlaf854a3a-2127-422b-91ae-364da2661108
https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874