WEB APPLICATION VULNERABILITIES Standard & Premium

Sitecore XP Deserialization RCE (CVE-2021-42237)

Description

Sitecore XP is a .NET content management system.

Sitecore XP uses usafe deserialization in Report.ashx. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Sitecore XP

References

Security Bulletin SC2021-003-499266

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Related Vulnerabilities

Oracle Business Intelligence ReportTemplateService XXE (CVE-2021-2400)

VMware vCenter Log4Shell RCE

Liferay TunnelServlet Deserialization Remote Code Execution

Oracle Weblogic WLS-WSAT Component Deserialization RCE

Deserialization of Untrusted Data (Java JSON Deserialization) Genson

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Insecure Deserialization Acumonitor