Description

The web application uses Sitecore platform. This version of Sitecore platform has an arbitrary file read vulnerability. Successful exploitation of the vulnerability can result in takeover of the server.

Remediation

Upgrade to the latest version of Sitecore

References

Security Bulletin SC2024-001-619349

Leveraging An Order of Operations Bug to Achieve RCE in Sitecore 8.x - 10.x

Related Vulnerabilities

MediaWiki Release of Invalid Pointer or Reference Vulnerability (CVE-2022-28203)

Moodle Other Vulnerability (CVE-2006-4942)

Adobe Commerce/Magento "CosmicSting" XXE (CVE-2024-34102)

MySQL CVE-2018-2818 Vulnerability (CVE-2018-2818)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-32621)

Severity

High

Classification

CVE-2024-46938 CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Arbitrary File Read Known Vulnerabilities