Security News > 2021 > November > Sitecore XP RCE flaw patched last month now actively exploited
The Australian Cyber Security Center is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform.
Sitecore XP is an enterprise-level content management system with data analytics used by well-known companies, including American Express, IKEA, Carnival Cruise Lines, L'Oréal, and Volvo.
On October 13th, Sitecore disclosed and released a patch for a pre-authentication remote code execution vulnerability tracked as CVE-2021-42237 affecting the Sitecore Experience Platform.
The vulnerable Sitecore XP component used in the attacks is Report.
The recommended solution is to upgrade to a secure version, ideally Sitecore XP 9.0 or higher.
For more details on mitigating the Sitecore XP CVE-2021-42237 vulnerability and how it affects your installed version, you can review Sitecore's security bulletin.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-11-05 | CVE-2021-42237 | Deserialization of Untrusted Data vulnerability in Sitecore Experience Platform Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. | 10.0 |