Vulnerabilities > CVE-2019-11080 - Deserialization of Untrusted Data vulnerability in Sitecore Experience Platform

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sitecore

CWE-502

exploit available

NVD

Published: 2019-06-06

Updated: 2019-06-13

Summary

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Vulnerable Configurations

Part	Description	Count
Application	Sitecore Sitecore Experience Platform 7.5 Sitecore Experience Platform 8.0 Sitecore Experience Platform 8.1 Sitecore Experience Platform 8.2 Sitecore Experience Platform 9.0 Sitecore Experience Platform 9.1	30

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Exploit-Db

id	EDB-ID:46987
last seen	2019-06-13
modified	2019-06-13
published	2019-06-13
reporter	Exploit-DB
source	https://www.exploit-db.com/download/46987
title	Sitecore 8.x - Deserialization Remote Code Execution

Packetstorm

data source	https://packetstormsecurity.com/files/download/153274/sitecore8-exec.txt
id	PACKETSTORM:153274
last seen	2019-06-17
published	2019-06-13
reporter	Jarad Kopf
source	https://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html
title	Sitecore 8.x Deserialization Remote Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References