CVE-2019-9874

nvd nist nuclei

Published: May 31, 2019Modified: Nov 7, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Affected (2)

Products: Sitecore: Cms, Experience Platform

2 products

Experience Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sitecore Cms	From 7.0 to 7.2
Sitecore Experience Platform	From 7.5 to 8.2

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (7)

https://dev.sitecore.net/Downloads.aspx

Source: cve@mitre.org

ProductVendor Advisory

https://www.synacktiv.com/blog.html

Source: cve@mitre.org

Third Party Advisory

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://dev.sitecore.net/Downloads.aspx

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://www.synacktiv.com/blog.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.