Description

Sitecore XP is a .NET content management system.

Sitecore XP uses usafe deserialization in Report.ashx. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Sitecore XP

References

Security Bulletin SC2021-003-499266

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Related Vulnerabilities

WordPress Plugin Best Seo Remote Code Execution (1.5)

WordPress Super Socialat backdoor plugin

WordPress Plugin WP-Stateless-Google Cloud Storage Remote Code Execution (2.2.0)

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

Kentico CMS Deserialization RCE

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor Code Execution