CVE-2021-38366

Published: Aug 12, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL.

Affected (1)

Products: Sitecore: Sitecore

Sitecore

1 product

Sitecore

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sitecore Sitecore	Up to 10.1

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://blog.istern.dk/2021/08/10/sitecore-10-authenticated-file-upload-to-rce/

Source: cve@mitre.org

ExploitThird Party Advisory

https://blog.istern.dk/2021/08/10/sitecore-10-authenticated-file-upload-to-rce/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.