Vulnerabilities > Sitecore > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-05-22 CVE-2023-27066 Path Traversal vulnerability in Sitecore Experience Platform
Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.
network
low complexity
sitecore CWE-22
6.5
2021-08-12 CVE-2021-38366 Unrestricted Upload of File with Dangerous Type vulnerability in Sitecore
Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL.
network
sitecore CWE-434
6.8
2019-08-05 CVE-2019-11198 Cross-site Scripting vulnerability in Sitecore CMS
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog.
network
sitecore CWE-79
4.3
2019-05-31 CVE-2019-9875 Deserialization of Untrusted Data vulnerability in Sitecore CMS
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
network
low complexity
sitecore CWE-502
6.5
2017-07-19 CVE-2017-11440 Path Traversal vulnerability in Sitecore CMS 8.2
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
network
low complexity
sitecore CWE-22
4.0
2017-06-23 CVE-2017-9356 Cross-site Scripting vulnerability in Sitecore Sitecore.Net 7.1/7.2
Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI.
network
sitecore CWE-79
4.3
2017-05-23 CVE-2017-5966 Path Traversal vulnerability in Sitecore CRM 8.1
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter.
network
low complexity
sitecore CWE-22
4.0
2017-05-23 CVE-2017-5965 Unspecified vulnerability in Sitecore CRM 8.1
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname, visiting sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx to upload this archive and extract its contents, and visiting a URI under sitecore/ to execute the .asp file.
network
low complexity
sitecore
6.5
2017-03-19 CVE-2016-8855 Cross-site Scripting vulnerability in Sitecore Experience Platform 8.1
Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev.
network
sitecore CWE-79
4.3
2015-01-13 CVE-2014-100004 Cross-site Scripting vulnerability in Sitecore CMS 7.0
Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev.
network
sitecore CWE-79
4.3