CVE-2019-11080

Published: Jun 6, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Affected (1)

Products: Sitecore: Experience Platform

1 product

Experience Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sitecore Experience Platform	Before 9.1.1

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (6)

http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html

Source: cve@mitre.org

https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE

Source: cve@mitre.org

ExploitThird Party Advisory

http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.