CVE-2023-33652

Published: Jun 6, 2023Modified: Jan 8, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.

Affected (1)

Products: Sitecore: Experience Platform

Sitecore

1 product

Experience Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sitecore Experience Platform	Version 9.3

Related CWEs

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

References (2)

https://blog.assetnote.io/2023/05/10/sitecore-round-two/

Source: cve@mitre.org

ExploitThird Party Advisory

https://blog.assetnote.io/2023/05/10/sitecore-round-two/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.