Vulnerabilities > Sitecore > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-22 | CVE-2023-27066 | Path Traversal vulnerability in Sitecore Experience Platform Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. | 6.5 |
| 2021-08-12 | CVE-2021-38366 | Unrestricted Upload of File with Dangerous Type vulnerability in Sitecore Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL. | 6.8 |
| 2019-08-05 | CVE-2019-11198 | Cross-site Scripting vulnerability in Sitecore CMS Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog. | 4.3 |
| 2019-05-31 | CVE-2019-9875 | Deserialization of Untrusted Data vulnerability in Sitecore CMS Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. | 6.5 |
| 2017-07-19 | CVE-2017-11440 | Path Traversal vulnerability in Sitecore CMS 8.2 In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. | 4.0 |
| 2017-06-23 | CVE-2017-9356 | Cross-site Scripting vulnerability in Sitecore Sitecore.Net 7.1/7.2 Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI. | 4.3 |
| 2017-05-23 | CVE-2017-5966 | Path Traversal vulnerability in Sitecore CRM 8.1 Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter. | 4.0 |
| 2017-05-23 | CVE-2017-5965 | Unspecified vulnerability in Sitecore CRM 8.1 The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname, visiting sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx to upload this archive and extract its contents, and visiting a URI under sitecore/ to execute the .asp file. | 6.5 |
| 2017-03-19 | CVE-2016-8855 | Cross-site Scripting vulnerability in Sitecore Experience Platform 8.1 Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. | 4.3 |
| 2015-01-13 | CVE-2014-100004 | Cross-site Scripting vulnerability in Sitecore CMS 7.0 Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. | 4.3 |