RCE vulnerability found in Sitecore enterprise CMS software


Get real time updates directly on you device, subscribe now.

Jessica Haworth

03 November 2021 at 13:45 UTC

Updated: 03 November 2021 at 13:46 UTC

Vendor update is available now

A remote code execution vulnerability has been found in enterprise CMS product Sitecore XP that could leave all unpatched instances open to abuse.

Sitecore is an enterprise content management system (CMS), which according to researchers from Assetnote has an estimated 4,500 customers, including Fortune 500 companies.

Read more of the latest security vulnerability news

The researchers found that the software was vulnerable to a pre-authentication RCE attack due to insecure deserialization in the Report.ashx file.

They discovered the vulnerability while probing Sitecore’s attack surface during a client engagement.

A blog post published yesterday (November 2) includes full technical details.


The vulnerability is pending a CVE number but is being tracked by the vendor as SC2021-003-499266.

It impacts all Sitecore systems running affected versions, including single-instance and multi-instance environments, managed cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, etc), which are exposed to the internet.

To remediate the problem, Assetnote advised users to “simply remove the file from ”, and pointed to Sitecore’s security advisory.

YOU MAY LIKE WordPress plugin vulnerability opened up one million sites to remote takeover

Sitecore has advised users to upgrade to version 9.0.0 or higher which protects against the vulnerability.

The Daily Swig has reached out to Assetnote for more information and will update this article accordingly.

DON’T MISS Discourse fixes critical validation-related vulnerability in forum software

Source link

Get real time updates directly on you device, subscribe now.

You might also like
Leave A Reply

Your email address will not be published.