Description

Sitecore XP is a .NET content management system.

Sitecore XP uses usafe deserialization in Report.ashx. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Sitecore XP

References

Security Bulletin SC2021-003-499266

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Related Vulnerabilities

WordPress Plugin Secure File Manager Remote Code Execution (2.8.1)

Tiki Wiki CMS: Remote Code Execution via Calendar Module

WordPress Plugin BackWPup Remote and Local Code Execution (1.6.1)

VMware Horizon Log4Shell RCE

Oracle Weblogic T3 XXE (CVE-2019-2647)

Severity

High

Classification

CVE-2021-42237 CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor Code Execution