RCE vulnerability found in Sitecore enterprise CMS software
03 November 2021 at 13:45 UTC
Updated: 03 November 2021 at 13:46 UTC
Vendor update is available now
A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP that could leave all unpatched instances open to abuse.
Sitecore is an enterprise content management system (CMS), which according to researchers from Assetnote has an estimated 4,500 customers, including Fortune 500 companies.
They discovered the vulnerability while probing Sitecore’s attack surface during a client engagement.
A blog post published yesterday (November 2) includes full technical details.
The vulnerability is pending a CVE number but is being tracked by the vendor as SC2021-003-499266.
It impacts all Sitecore systems running affected versions, including single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc), which are exposed to the internet.
To remediate the problem, Assetnote advised users to “simply remove the file from ”, and pointed to Sitecore’s security advisory.
Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.
The Daily Swig has reached out to Assetnote for more information and will update this article accordingly.