Description

Sitecore XP is a .NET content management system.

Sitecore XP uses usafe deserialization in Report.ashx. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Sitecore XP

References

Security Bulletin SC2021-003-499266

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Related Vulnerabilities

Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability

Telerik Web UI RadAsyncUpload Deserialization

TimThumb WebShot remote code execution

Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

WordPress Plugin Custom Content Type Manager Remote Code Execution (0.9.8.5)

Severity

High

Classification

CVE-2021-42237 CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor Code Execution