A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP that could leave all unpatched instances open to abuse.
Sitecore is an enterprise content management system (CMS), which according to researchers from Assetnote has an estimated 4,500 customers, including Fortune 500 companies.
The researchers found that the software was vulnerable to a pre-authentication RCE attack due to insecure deserialization in the Report.ashx file.
They discovered the vulnerability while probing Sitecore’s attack surface during a client engagement.
A blog post published yesterday (November 2) includes full technical details.
Mitigations
The vulnerability is pending a CVE number but is being tracked by the vendor as SC2021-003-499266.
It impacts all Sitecore systems running affected versions, including single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc), which are exposed to the internet.
To remediate the problem, Assetnote advised users to “simply remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/”, and pointed to Sitecore’s security advisory.
Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.
The Daily Swig has reached out to Assetnote for more information and will update this article accordingly.
Source: https://portswigger.net/daily-swig/rce-vulnerability-found-in-sitecore-enterprise-cms-software