Home
HIGH: 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HDefault status
unaffected
9.0 (semver)
affected
10.0 (semver)
affected
Default status
unaffected
9.0 (semver)
affected
10.0 (semver)
affected
Description
Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Remote Code Execution (RCE).This issue affects Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
Problem types
CWE-502 Deserialization of Untrusted Data
Product status
9.0 (semver)
10.0 (semver)
9.0 (semver)
10.0 (semver)
Credits
Piotr Bazydlo of watchTowr
References
labs.watchtowr.com/...ience-platform-cache-poisoning-to-rce/
support.sitecore.com/...ticle_view&sysparm_article=KB1003667