Vulnerabilites related to sitecore - cms
Vulnerability from fkie_nvd
Published
2019-08-05 18:15
Modified
2024-11-21 04:20
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://outpost24.com/blog | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://outpost24.com/blog | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B48F96-1422-4E56-A2D6-8356D53E3D33",
"versionEndIncluding": "9.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en CMS de Sitecore versi\u00f3n 9.0.1 y anteriores, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de (1) #300583 - M\u00f3dulo List Manager Dashboard, (2) #307638 - M\u00f3dulo Campaign Creator, (3) #316994 - Campo Attributes, (4) I#316995 - M\u00f3dulo Icon Selection, (5) #317000 - Campo Latitude, (6) #317000 - Campo Longitude, (7) #317017 - M\u00f3dulo UploadPackage2.aspx, ( 8) #317072 - Men\u00fa Context, o (9) I#317073 - Insertar desde el cuadro de di\u00e1logo Template."
}
],
"id": "CVE-2019-11198",
"lastModified": "2024-11-21T04:20:42.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-05T18:15:10.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://outpost24.com/blog"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://outpost24.com/blog"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-06-22 20:30
Modified
2024-11-21 01:04
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40923C49-775A-49A3-BDC4-264838748CEC",
"versionEndIncluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:cms:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20271A9D-C591-4206-AF17-9170BA32C70E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:cms:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FADD8B45-3408-454B-BB24-C9E51CDC05D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:cms:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "926DE827-2E52-40F5-927B-0B18CF57FE76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Sitecore CMS versiones anteriores a v6.0.2 Update-1 090507 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante el par\u00e1metro \"sc_error\"."
}
],
"id": "CVE-2009-2163",
"lastModified": "2024-11-21T01:04:16.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-06-22T20:30:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35353"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/504093/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/504132/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/35353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/504093/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/504132/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-01-13 11:59
Modified
2024-11-21 02:03
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:3:*:*:*:*:*:*",
"matchCriteriaId": "1E20BD67-3366-4B00-9F78-773BAA3F455D",
"versionEndIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Sitecore CMS anterior a 7.0 actualizaci\u00f3n-4 (rev. 140120) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro xmlcontrol en la URI por defecto. NOTA: algunos de estos detalles se obtienen de informaci\u00f3n de terceras partes."
}
],
"id": "CVE-2014-100004",
"lastModified": "2024-11-21T02:03:12.383",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-01-13T11:59:03.303",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/102660"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/56705"
},
{
"source": "cve@mitre.org",
"url": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/530901/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/65254"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90833"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/102660"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/56705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/530901/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/65254"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90833"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-19 07:29
Modified
2024-11-21 03:07
Severity ?
Summary
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC590FA4-067E-4DF4-AD10-DE40097B713B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter."
},
{
"lang": "es",
"value": "En Sitecore versi\u00f3n 8.2, se presenta un problema de tipo XSS reflejado del par\u00e1metro Program del archivo shell/Applications/Tools/Run."
}
],
"id": "CVE-2017-11439",
"lastModified": "2024-11-21T03:07:47.460",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-19T07:29:00.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-31 21:29
Modified
2024-11-21 04:52
Severity ?
Summary
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.sitecore.net/Downloads.aspx | Product, Vendor Advisory | |
| cve@mitre.org | https://www.synacktiv.com/blog.html | Third Party Advisory | |
| cve@mitre.org | https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.sitecore.net/Downloads.aspx | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synacktiv.com/blog.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "493A24AA-2833-42B9-B5AA-AFC99528D420",
"versionEndIncluding": "9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter."
},
{
"lang": "es",
"value": "La deserializaci\u00f3n de datos no confiables en el m\u00f3dulo anti CSRF en Sitecore hasta la vers\u00f3n 9.1, permite a un atacante identificado ejecutar c\u00f3digo arbitrario mediante el env\u00edo un objeto .NET serializado dentro de un par\u00e1metro POST de HTTP."
}
],
"id": "CVE-2019-9875",
"lastModified": "2024-11-21T04:52:29.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-31T21:29:06.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-19 07:29
Modified
2024-11-21 03:07
Severity ?
Summary
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC590FA4-067E-4DF4-AD10-DE40097B713B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter."
},
{
"lang": "es",
"value": "En Sitecore versi\u00f3n 8.2, se presenta un salto de ruta (path) de acceso absoluto por medio del par\u00e1metro fi del archivo shell/Applications/Layouts/IDE.aspx y el par\u00e1metro Reference del archivo admin/LinqScratchPad.aspx."
}
],
"id": "CVE-2017-11440",
"lastModified": "2024-11-21T03:07:47.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-19T07:29:00.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-31 21:29
Modified
2024-11-21 04:52
Severity ?
Summary
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dev.sitecore.net/Downloads.aspx | Product, Vendor Advisory | |
| cve@mitre.org | https://www.synacktiv.com/blog.html | Third Party Advisory | |
| cve@mitre.org | https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.sitecore.net/Downloads.aspx | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synacktiv.com/blog.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sitecore | cms | * | |
| sitecore | experience_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B358977-D881-4B0A-8F4D-6D1B0BAAB665",
"versionEndIncluding": "7.2",
"versionStartIncluding": "7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC833020-7B0B-4593-B4B5-C073F01CC0C2",
"versionEndIncluding": "8.2",
"versionStartIncluding": "7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN."
},
{
"lang": "es",
"value": "La deserializaci\u00f3n de datos no seguros en el m\u00f3dulo Sitecore.Security.AntiCSRF (conocido como CSRF) en Sitecore CMS versi\u00f3n 7.0 hasta 7.2 y Sitecore XP veris\u00f3n 7.5 hasta 8.2, permite a un atacante no identificado ejecutar c\u00f3digo arbitrario mediante el env\u00edo un objeto .NET serializado en el par\u00e1metro __CSRFTOKEN como parte del par\u00e1metro POST de HTTP."
}
],
"id": "CVE-2019-9874",
"lastModified": "2024-11-21T04:52:29.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-31T21:29:06.123",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-24 14:30
Modified
2024-11-21 01:01
Severity ?
Summary
Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev. 071114 allows remote authenticated users to gain access to security databases, and obtain administrative and user credentials, via unknown vectors related to SOAP and XML requests.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20271A9D-C591-4206-AF17-9170BA32C70E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sitecore:cms:5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FADD8B45-3408-454B-BB24-C9E51CDC05D7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev. 071114 allows remote authenticated users to gain access to security databases, and obtain administrative and user credentials, via unknown vectors related to SOAP and XML requests."
},
{
"lang": "es",
"value": "Vulnerabilidad inespec\u00edfica en el servicio web en Sitecore CMS v5.3.1 rev. 071114 permite a usuarios remotos autenticados conseguir acceso a las bases de datos de seguridad, y obtener credenciales administrativas y de usuario, a trav\u00e9s de vectores desconocidos relacionados con las peticiones a SOAP y XML."
}
],
"id": "CVE-2009-1055",
"lastModified": "2024-11-21T01:01:33.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-03-24T14:30:00.420",
"references": [
{
"source": "cve@mitre.org",
"url": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205%2C-d-%2C3/ReleaseNotes/V5%2C-d-%2C3%2C-d-%2C2/ChangeLog.aspx"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34356"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/501929/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/34162"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/0753"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49298"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205%2C-d-%2C3/ReleaseNotes/V5%2C-d-%2C3%2C-d-%2C2/ChangeLog.aspx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34356"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/501929/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/34162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/0753"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49298"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2009-1055
Vulnerability from cvelistv5
Published
2009-03-24 14:00
Modified
2024-08-07 04:57
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev. 071114 allows remote authenticated users to gain access to security databases, and obtain administrative and user credentials, via unknown vectors related to SOAP and XML requests.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/501929/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.vupen.com/english/advisories/2009/0753 | vdb-entry, x_refsource_VUPEN | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/49298 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/34162 | vdb-entry, x_refsource_BID | |
| http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205%2C-d-%2C3/ReleaseNotes/V5%2C-d-%2C3%2C-d-%2C2/ChangeLog.aspx | x_refsource_CONFIRM | |
| http://secunia.com/advisories/34356 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:57:17.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20090317 Sitecore .NET 5.3.x - web service information disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/501929/100/0/threaded"
},
{
"name": "ADV-2009-0753",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/0753"
},
{
"name": "sitecore-web-service-info-disclosure(49298)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49298"
},
{
"name": "34162",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/34162"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205%2C-d-%2C3/ReleaseNotes/V5%2C-d-%2C3%2C-d-%2C2/ChangeLog.aspx"
},
{
"name": "34356",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/34356"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-02-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev. 071114 allows remote authenticated users to gain access to security databases, and obtain administrative and user credentials, via unknown vectors related to SOAP and XML requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20090317 Sitecore .NET 5.3.x - web service information disclosure",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/501929/100/0/threaded"
},
{
"name": "ADV-2009-0753",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/0753"
},
{
"name": "sitecore-web-service-info-disclosure(49298)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49298"
},
{
"name": "34162",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/34162"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205%2C-d-%2C3/ReleaseNotes/V5%2C-d-%2C3%2C-d-%2C2/ChangeLog.aspx"
},
{
"name": "34356",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/34356"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-1055",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev. 071114 allows remote authenticated users to gain access to security databases, and obtain administrative and user credentials, via unknown vectors related to SOAP and XML requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20090317 Sitecore .NET 5.3.x - web service information disclosure",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/501929/100/0/threaded"
},
{
"name": "ADV-2009-0753",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/0753"
},
{
"name": "sitecore-web-service-info-disclosure(49298)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49298"
},
{
"name": "34162",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/34162"
},
{
"name": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205,-d-,3/ReleaseNotes/V5,-d-,3,-d-,2/ChangeLog.aspx",
"refsource": "CONFIRM",
"url": "http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205,-d-,3/ReleaseNotes/V5,-d-,3,-d-,2/ChangeLog.aspx"
},
{
"name": "34356",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/34356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-1055",
"datePublished": "2009-03-24T14:00:00",
"dateReserved": "2009-03-24T00:00:00",
"dateUpdated": "2024-08-07T04:57:17.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-2163
Vulnerability from cvelistv5
Published
2009-06-22 20:00
Modified
2024-08-07 05:44
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/504093/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/archive/1/504132/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://secunia.com/advisories/35353 | third-party-advisory, x_refsource_SECUNIA | |
| http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:44:55.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20090603 [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/504093/100/0/threaded"
},
{
"name": "20090605 Re: [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability-fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/504132/100/0/threaded"
},
{
"name": "35353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/35353"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20090603 [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/504093/100/0/threaded"
},
{
"name": "20090605 Re: [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability-fixed",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/504132/100/0/threaded"
},
{
"name": "35353",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/35353"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2163",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in login/default.aspx in Sitecore CMS before 6.0.2 Update-1 090507 allows remote attackers to inject arbitrary web script or HTML via the sc_error parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20090603 [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/504093/100/0/threaded"
},
{
"name": "20090605 Re: [InterN0T] SiteCore.NET 6.0.0 - XSS Vulnerability-fixed",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/504132/100/0/threaded"
},
{
"name": "35353",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/35353"
},
{
"name": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html",
"refsource": "MISC",
"url": "http://forum.intern0t.net/intern0t-advisories/1082-intern0t-sitecore-net-6-0-0-cross-site-scripting-vulnerability.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2163",
"datePublished": "2009-06-22T20:00:00",
"dateReserved": "2009-06-22T00:00:00",
"dateUpdated": "2024-08-07T05:44:55.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-11440
Vulnerability from cvelistv5
Published
2017-07-19 07:00
Modified
2024-08-05 18:12
Severity ?
EPSS score ?
Summary
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:39.722Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T06:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11440",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/",
"refsource": "MISC",
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"name": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11440",
"datePublished": "2017-07-19T07:00:00",
"dateReserved": "2017-07-19T00:00:00",
"dateUpdated": "2024-08-05T18:12:39.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-11439
Vulnerability from cvelistv5
Published
2017-07-19 07:00
Modified
2024-08-05 18:12
Severity ?
EPSS score ?
Summary
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:40.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T06:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-11439",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/",
"refsource": "MISC",
"url": "https://xc0re.net/2017/07/03/sitecore-cms-v-8-2-multiple-vulnerabilties/"
},
{
"name": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/143357/Sitecore-CMS-8.2-Cross-Site-Scripting-File-Disclosure.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-11439",
"datePublished": "2017-07-19T07:00:00",
"dateReserved": "2017-07-19T00:00:00",
"dateUpdated": "2024-08-05T18:12:40.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11198
Vulnerability from cvelistv5
Published
2019-08-05 17:13
Modified
2024-08-04 22:48
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:08.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://outpost24.com/blog"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T17:13:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://outpost24.com/blog"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11198",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Sitecore CMS 9.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) #300583 - List Manager Dashboard module, (2) #307638 - Campaign Creator module, (3) #316994 - Attributes field, (4) I#316995 - Icon Selection module, (5) #317000 - Latitude field, (6) #317000 - Longitude field, (7) #317017 - UploadPackage2.aspx module, (8) #317072 - Context menu, or (9) I#317073 - Insert from Template dialog."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://outpost24.com/blog",
"refsource": "MISC",
"url": "https://outpost24.com/blog"
},
{
"name": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes",
"refsource": "MISC",
"url": "https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/92/Sitecore%20Experience%20Platform%2092%20Initial%20Release/Release%20Notes"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11198",
"datePublished": "2019-08-05T17:13:06",
"dateReserved": "2019-04-11T00:00:00",
"dateUpdated": "2024-08-04T22:48:08.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-9874
Vulnerability from cvelistv5
Published
2019-05-31 20:11
Modified
2024-08-04 22:01
Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dev.sitecore.net/Downloads.aspx | x_refsource_MISC | |
| https://www.synacktiv.com/blog.html | x_refsource_MISC | |
| https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-31T20:11:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9874",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.sitecore.net/Downloads.aspx",
"refsource": "MISC",
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"name": "https://www.synacktiv.com/blog.html",
"refsource": "MISC",
"url": "https://www.synacktiv.com/blog.html"
},
{
"name": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf",
"refsource": "MISC",
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9874",
"datePublished": "2019-05-31T20:11:49",
"dateReserved": "2019-03-19T00:00:00",
"dateUpdated": "2024-08-04T22:01:55.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-100004
Vulnerability from cvelistv5
Published
2015-01-13 11:00
Modified
2024-08-06 14:10
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/65254 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/102660 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/56705 | third-party-advisory, x_refsource_SECUNIA | |
| http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/530901/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/90833 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:10:54.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "65254",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65254"
},
{
"name": "102660",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/102660"
},
{
"name": "56705",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56705"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html"
},
{
"name": "20140129 SiteCore XML Control Script Insertion",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/530901/100/0/threaded"
},
{
"name": "sitecore-xmlcontrol-xss(90833)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90833"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "65254",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65254"
},
{
"name": "102660",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/102660"
},
{
"name": "56705",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56705"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html"
},
{
"name": "20140129 SiteCore XML Control Script Insertion",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/530901/100/0/threaded"
},
{
"name": "sitecore-xmlcontrol-xss(90833)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90833"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-100004",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "65254",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65254"
},
{
"name": "102660",
"refsource": "OSVDB",
"url": "http://osvdb.org/102660"
},
{
"name": "56705",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56705"
},
{
"name": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html",
"refsource": "MISC",
"url": "http://sitecorekh.blogspot.dk/2014/01/sitecore-releases-70-update-4-rev-140120.html"
},
{
"name": "20140129 SiteCore XML Control Script Insertion",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/530901/100/0/threaded"
},
{
"name": "sitecore-xmlcontrol-xss(90833)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90833"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-100004",
"datePublished": "2015-01-13T11:00:00",
"dateReserved": "2015-01-13T00:00:00",
"dateUpdated": "2024-08-06T14:10:54.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-9875
Vulnerability from cvelistv5
Published
2019-05-31 20:34
Modified
2024-08-04 22:01
Severity ?
EPSS score ?
Summary
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://dev.sitecore.net/Downloads.aspx | x_refsource_MISC | |
| https://www.synacktiv.com/blog.html | x_refsource_MISC | |
| https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-31T20:34:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/blog.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9875",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.sitecore.net/Downloads.aspx",
"refsource": "MISC",
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"name": "https://www.synacktiv.com/blog.html",
"refsource": "MISC",
"url": "https://www.synacktiv.com/blog.html"
},
{
"name": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf",
"refsource": "MISC",
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9875",
"datePublished": "2019-05-31T20:34:46",
"dateReserved": "2019-03-19T00:00:00",
"dateUpdated": "2024-08-04T22:01:55.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}