CVE-2009-4367
Sitecore Staging Module 5.4.0 - Authentication Bypass / File Manipulation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via crafted SOAP requests with arbitrary Username and Password values, possibly related to a direct request.
Staging Webservice ("sitecore modules/staging/service/api.asmx") en Sitecore Staging Module v5.4.0 rev.080625 y anteriores permite a atacantes remotos saltar la autenticación y (1) subir ficheros, (2) bajar ficheros, (3) listar directorios, y (4) limpiar la caché del servidor mediante peticiones SOAP modificas con valores "Username" y "Password" de su elección, posiblemente relacionado con una petición directa.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-12-17 First Exploit
- 2009-12-21 CVE Reserved
- 2009-12-21 CVE Published
- 2023-04-06 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://osvdb.org/61147 | Vdb Entry | |
| http://www.securityfocus.com/archive/1/508529/100/0/threaded | Mailing List | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/54881 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/10513 | 2009-12-17 | |
| http://www.exploit-db.com/exploits/10513 | 2024-08-07 | |
| http://www.securityfocus.com/bid/37388 | 2024-08-07 | |
| https://www.sec-consult.com/files/20091217-0_sitecore_StagingModule_1.0.txt | 2024-08-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/37763 | 2018-10-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sitecore Search vendor "Sitecore" | Staging Module Search vendor "Sitecore" for product "Staging Module" | <= 5.4.0 Search vendor "Sitecore" for product "Staging Module" and version " <= 5.4.0" | 080625 |
Affected
| ||||||