Description

Sitecore XP is a .NET content management system.

Sitecore XP uses usafe deserialization in Report.ashx. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Sitecore XP

References

Security Bulletin SC2021-003-499266

Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

Related Vulnerabilities

JBoss InvokerTransformer Remote Code Execution

WordPress Plugin Kanzu Support Desk-WordPress Helpdesk Remote Code Execution (2.4.6)

WordPress Plugin Form Manager Remote Command Execution (1.7.2)

Telerik Web UI Unrestricted File Upload (CVE-2017-11317)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Severity

High

Classification

CVE-2021-42237 CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor Code Execution