← Zuruck zu CVEs

CVE-2019-9874

CRITICALCISA KEV

9.8

Beschreibung

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht5/31/2019

Zuletzt geandert11/7/2025

Quellekev

Honeypot-Sichtungen0

CISA KEV

HerstellerSitecore

ProduktCMS and Experience Platform (XP)

SchwachstellennameSitecore CMS and Experience Platform (XP) Deserialization Vulnerability

KEV Aufnahmedatum2025-03-26

Behebungsfrist2025-04-16

Ransomware-NutzungUnknown

Betroffene Produkte

sitecore:cmssitecore:experience_platform

Schwachen (CWE)

CWE-502CWE-502

Referenzen

https://dev.sitecore.net/Downloads.aspx(cve@mitre.org)

https://www.synacktiv.com/blog.html(cve@mitre.org)

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf(cve@mitre.org)

https://dev.sitecore.net/Downloads.aspx(af854a3a-2127-422b-91ae-364da2661108)

https://www.synacktiv.com/blog.html(af854a3a-2127-422b-91ae-364da2661108)

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.