CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-9875
https://notcve.org/view.php?id=CVE-2019-9875
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter. La deserialización de datos no confiables en el módulo anti CSRF en Sitecore hasta la versón 9.1, permite a un atacante identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado dentro de un parámetro POST de HTTP. • https://dev.sitecore.net/Downloads.aspx https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-100004
https://notcve.org/view.php?id=CVE-2014-100004
Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information. Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualización-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro xmlcontrol en la URI por defecto. NOTA: algunos de estos detalles se obtienen de información de terceras partes. • http://osvdb.org/102660 http://secunia.com/advisories/56705 http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html http://www.securityfocus.com/archive/1/530901/100/0/threaded http://www.securityfocus.com/bid/65254 https://exchange.xforce.ibmcloud.com/vulnerabilities/90833 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 2CVE-2009-2163 – Sitecore CMS 6.0.0 rev. 090120 - 'default.aspx' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2163
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Sitecore CMS versiones anteriores a v6.0.2 Update-1 090507 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante el parámetro "sc_error". • https://www.exploit-db.com/exploits/34930 http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html http://secunia.com/advisories/35353 http://www.securityfocus.com/archive/1/504093/100/0/threaded http://www.securityfocus.com/archive/1/504132/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •