Shodan
Vulnerabilities
Vulnerable Software
Sitecore:  Security Vulnerabilities
CVE-2019-11080
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
CVSS Score
8.8
EPSS Score
0.418
Published
2019-06-06
CVE-2019-9874
Known exploited
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
CVSS Score
9.8
EPSS Score
0.251
Published
2019-05-31
CVE-2019-9875
Known exploited
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.
CVSS Score
8.8
EPSS Score
0.136
Published
2019-05-31
CVE-2019-12440
The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-05-29
CVE-2018-7669
An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack.
CVSS Score
7.5
EPSS Score
0.254
Published
2018-04-27
CVE-2017-11439
In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tools/Run Program parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-07-19
CVE-2017-11440
In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.
CVSS Score
4.9
EPSS Score
0.009
Published
2017-07-19
CVE-2017-9356
Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-06-23
CVE-2017-5965
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname, visiting sitecore/shell/applications/install/dialogs/Upload%20Package/UploadPackage2.aspx to upload this archive and extract its contents, and visiting a URI under sitecore/ to execute the .asp file.
CVSS Score
6.7
EPSS Score
0.004
Published
2017-05-23
CVE-2017-5966
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter.
CVSS Score
4.9
EPSS Score
0.003
Published
2017-05-23


Products
Pricing
Contact Us

Shodan ® - All rights reserved