Home Cyber Crime RCE vulnerability found in Sitecore enterprise CMS software

RCE vulnerability found in Sitecore enterprise CMS software


Jessica Haworth

03 November 2021 at 13:45 UTC

Up to date: 03 November 2021 at 13:46 UTC

Vendor replace is obtainable now

A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP

A distant code execution vulnerability has been present in enterprise CMS product Sitecore XP that would go away all unpatched cases open to abuse.

Sitecore is an enterprise content material administration system (CMS), which in keeping with researchers from Assetnote has an estimated 4,500 prospects, together with Fortune 500 corporations.

Read more of the latest security vulnerability news

The researchers discovered that the software program was susceptible to a pre-authentication RCE assault on account of insecure deserialization within the Report.ashx file.

They found the vulnerability whereas probing Sitecore’s assault floor throughout a shopper engagement.

A blog post revealed yesterday (November 2) consists of full technical particulars.


The vulnerability is pending a CVE quantity however is being tracked by the seller as SC2021-003-499266.

It impacts all Sitecore methods working affected variations, together with single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content material supply, content material modifying, reporting, processing, and so on), that are uncovered to the web.

To remediate the issue, Assetnote suggested customers to “merely take away the file from ”, and pointed to Sitecore’s security advisory.

YOU MAY LIKE WordPress plugin vulnerability opened up one million sites to remote takeover

Sitecore has suggested customers to improve to model 9.0.0 or larger which protects towards the vulnerability.

The Each day Swig has reached out to Assetnote for extra data and can replace this text accordingly.

DON’T MISS Discourse fixes critical validation-related vulnerability in forum software

Source link