CVSS: 10.0EPSS: 93%CPEs: 4EXPL: 3CVE-2023-35813 – Sitecore 8.2 Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-35813
17 Jun 2023 — Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3. Sitecore version 8.2 suffers from a remote code execution vulnerability. • https://packetstorm.news/files/id/177524 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-33651
https://notcve.org/view.php?id=CVE-2023-33651
06 Jun 2023 — An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules. • https://blog.assetnote.io/2023/05/10/sitecore-round-two • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-27068
https://notcve.org/view.php?id=CVE-2023-27068
23 May 2023 — Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. • https://blogs.night-wolf.io/0-day-vulnerabilities-at-sitecore-pagedesigner • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27066
https://notcve.org/view.php?id=CVE-2023-27066
22 May 2023 — Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. • https://blogs.night-wolf.io/0-day-vulnerabilities-at-sitecore-pagedesigner • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27067
https://notcve.org/view.php?id=CVE-2023-27067
22 May 2023 — Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx • https://blogs.night-wolf.io/0-day-vulnerabilities-at-sitecore-pagedesigner • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 7%CPEs: 2EXPL: 1CVE-2023-26262
https://notcve.org/view.php?id=CVE-2023-26262
14 Mar 2023 — An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server. • https://github.com/istern/CVE-2023-26262 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2019-13493 – Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-13493
12 Jul 2019 — In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript. En Sitecore versión 9.0 rev 171002, presenta un problema de tipo XSS persistente en la Biblioteca Multimedia y en el Administrador de Archivos. Un usuario sin privilegios autenticado puede modificar el parámetro extensión de archivo cargado para inyectar JavaScript arbitrario. Sitecore version 9.0 rev 1710... • https://packetstorm.news/files/id/153613 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 25%CPEs: 1EXPL: 3CVE-2019-11080 – Sitecore 8.x - Deserialization Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-11080
06 Jun 2019 — Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object. Sitecore Experience Platform (XP) anterior a versión 9.1.1 es vulnerable a la ejecución de código remota por medio de la deserialización, también se conoce como TFS # 293863. Un usuario autenticado con los permisos necesarios es capaz de ejecutar remotamen... • https://packetstorm.news/files/id/153274 • CWE-502: Deserialization of Untrusted Data •