Home

Description

Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

PUBLISHED Reserved 2025-07-24 | Published 2025-07-25 | Updated 2025-11-21 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-610 Externally Controlled Reference to a Resource in Another Sphere

Product status

Default status
unaffected

* (custom) before 8.0 Initial Release (rev. 141212)
affected

Default status
unaffected

* (custom) before 7.2 Update-3 (rev. 141226)
affected

* (custom) before 7.5 Update-1 (rev. 150130)
affected

Credits

Sitecore finder

References

support.sitecore.com/...ticle_view&sysparm_article=KB0816762 vendor-advisory patch

support.sitecore.com/...ticle_view&sysparm_article=KB1002377 vendor-advisory patch

www.vulncheck.com/...itecore-xp-cms-file-read-via-known-path third-party-advisory

cve.org (CVE-2015-10142)

nvd.nist.gov (CVE-2015-10142)

Download JSON