← Voltar para CVEs
CVE-2019-9874
CRITICALCISA KEV9.8
Descricao
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado5/31/2019
Ultima modificacao11/7/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorSitecore
ProdutoCMS and Experience Platform (XP)
Nome da vulnerabilidadeSitecore CMS and Experience Platform (XP) Deserialization Vulnerability
Data inclusao KEV2025-03-26
Prazo de remediacao2025-04-16
Uso em ransomwareUnknown
Produtos afetados
sitecore:cmssitecore:experience_platform
Fraquezas (CWE)
CWE-502CWE-502
Referencias
https://dev.sitecore.net/Downloads.aspx(cve@mitre.org)
https://www.synacktiv.com/blog.html(cve@mitre.org)
https://dev.sitecore.net/Downloads.aspx(af854a3a-2127-422b-91ae-364da2661108)
https://www.synacktiv.com/blog.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.