Connect with us

Business

RCE vulnerability found in Sitecore enterprise CMS software

Published

on

A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP that could leave all unpatched instances open to abuse.

Sitecore is an enterprise content management system (CMS), which according to researchers from Assetnote has an estimated 4,500 customers, including Fortune 500 companies.

The researchers found that the software was vulnerable to a pre-authentication RCE attack due to insecure deserialization in the Report.ashx file.

They discovered the vulnerability while probing Sitecore’s attack surface during a client engagement.

blog post published yesterday (November 2) includes full technical details.

Mitigations

The vulnerability is pending a CVE number but is being tracked by the vendor as SC2021-003-499266.

It impacts all Sitecore systems running affected versions, including single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc), which are exposed to the internet.

To remediate the problem, Assetnote advised users to “simply remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/”, and pointed to Sitecore’s security advisory.

Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.

The Daily Swig has reached out to Assetnote for more information and will update this article accordingly.

Source: https://portswigger.net/daily-swig/rce-vulnerability-found-in-sitecore-enterprise-cms-software

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO