CVE-2022-4979 | THREATINT

Description

A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.

PUBLISHED Reserved 2025-07-24 | Published 2025-07-25 | Updated 2026-03-23 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

7.5 Initial Release (custom)

affected

8.0 Initial Release (custom)

affected

8.1 Initial Release (custom)

affected

8.2 Initial Release (custom)

affected

9.0 Initial Release (custom)

affected

9.1 Initial Release (custom)

affected

9.2 Initial Release

affected

9.3 Initial Release

affected

10.0 Initial Release (custom)

affected

10.1 Initial Release (custom)

affected

10.2 Initial Release

affected

Default status

unaffected

7.2 Initial Release (custom)

affected

Default status

unaffected

affected

References

support.sitecore.com/...ticle_view&sysparm_article=KB1001489 vendor-advisory patch

support.sitecore.com/...ticle_view&sysparm_article=KB1001539 vendor-advisory patch

www.vulncheck.com/...ories/sitecore-xp-cms-managed-cloud-xss third-party-advisory

cve.org (CVE-2022-4979)

nvd.nist.gov (CVE-2022-4979)

Download JSON