Vulnerabilities > CVE-2019-11080 - Deserialization of Untrusted Data vulnerability in Sitecore Experience Platform

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
sitecore
CWE-502
critical
exploit available

Summary

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:46987
last seen2019-06-13
modified2019-06-13
published2019-06-13
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46987
titleSitecore 8.x - Deserialization Remote Code Execution

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/153274/sitecore8-exec.txt
idPACKETSTORM:153274
last seen2019-06-17
published2019-06-13
reporterJarad Kopf
sourcehttps://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html
titleSitecore 8.x Deserialization Remote Code Execution