← Volver a CVEs

CVE-2019-9874

CRITICALCISA KEV

9.8

Descripcion

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado5/31/2019

Ultima modificacion11/7/2025

Fuentekev

Avistamientos honeypot0

CISA KEV

VendedorSitecore

ProductoCMS and Experience Platform (XP)

Nombre vulnerabilidadSitecore CMS and Experience Platform (XP) Deserialization Vulnerability

Fecha inclusion KEV2025-03-26

Fecha limite remediacion2025-04-16

Uso en ransomwareUnknown

Productos afectados

sitecore:cmssitecore:experience_platform

Debilidades (CWE)

CWE-502CWE-502

Referencias

https://dev.sitecore.net/Downloads.aspx(cve@mitre.org)

https://www.synacktiv.com/blog.html(cve@mitre.org)

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf(cve@mitre.org)

https://dev.sitecore.net/Downloads.aspx(af854a3a-2127-422b-91ae-364da2661108)

https://www.synacktiv.com/blog.html(af854a3a-2127-422b-91ae-364da2661108)

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.