Page 2 of 11 results (0.004 seconds)

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1

An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server. • https://github.com/istern/CVE-2023-26262 https://www.sitecore.com/trust • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 97%CPEs: 24EXPL: 3

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. Sitecore XP Versión Inicial 7.5 a Sitecore XP 8.2 Update-7, es vulnerable a un ataque de deserialización no segura donde es posible lograr una ejecución de comandos remotos en la máquina. No es requerida ninguna autenticación ni configuración especial para explotar esta vulnerabilidad Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. • https://github.com/ItsIgnacioPortal/CVE-2021-42237 https://github.com/vesperp/CVE-2021-42237-SiteCore-XP http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html http://sitecore.com https://blog.assetnote.io/2021/11/02/sitecore-rce https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 • CWE-502: Deserialization of Untrusted Data •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript. En Sitecore versión 9.0 rev 171002, presenta un problema de tipo XSS persistente en la Biblioteca Multimedia y en el Administrador de Archivos. Un usuario sin privilegios autenticado puede modificar el parámetro extensión de archivo cargado para inyectar JavaScript arbitrario. Sitecore version 9.0 rev 171002 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/47106 http://packetstormsecurity.com/files/153613/Sitecore-9.0-Rev-171002-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.0EPSS: 4%CPEs: 1EXPL: 2

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object. Sitecore Experience Platform (XP) anterior a versión 9.1.1 es vulnerable a la ejecución de código remota por medio de la deserialización, también se conoce como TFS # 293863. Un usuario autenticado con los permisos necesarios es capaz de ejecutar remotamente los comandos del sistema operativo enviando un objeto serializado creado. Sitecore versions 8.x suffer from a deserialization vulnerability that allows for remote code execution. • https://www.exploit-db.com/exploits/46987 http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN. La deserialización de datos no seguros en el módulo Sitecore.Security.AntiCSRF (conocido como CSRF) en Sitecore CMS versión 7.0 hasta 7.2 y Sitecore XP verisón 7.5 hasta 8.2, permite a un atacante no identificado ejecutar código arbitrario mediante el envío un objeto .NET serializado en el parámetro __CSRFTOKEN como parte del parámetro POST de HTTP. • https://dev.sitecore.net/Downloads.aspx https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf • CWE-502: Deserialization of Untrusted Data •