Detections
Analytics

Sitecore CMS/XP CSRF Remote Code Execution

critical Web App Scanning Plugin ID 113431

Language:

Synopsis

Sitecore CMS/XP CSRF Remote Code Execution

Description

Sitecore CMS version 6.6.3 to XP version 8.2.7 and XP version 9.x below 9.1.1 suffer from a deserialization vulnerability through the CSRF management library. By crafting a specific HTTP request on the `CreateNewUser.aspx` endpoint, a remote attacker could achieve a remote code execution on the target Sitecore instance.

Note that versions below 8.2.7 can be exploited without authentication (CVE-2019-9874), whereas versions 9.x < 9.1.1 require to be authenticated (CVE-2019-9875).

Solution

Update at least to Sitecore XP version 8.2.7 or 9.1.1. If the update cannot be performed, apply hotfix `SC Hotfix 313001-1 Security.AntiCsrf 1.1.1` for versions 8.2.x and `SC Hotfix 313001-1 Security.AntiCsrf 1.0.0` for the other versions.

See Also

https://dev.sitecore.net/Downloads/Sitecore_Experience_Platform/91/Sitecore_Experience_Platform_91_Update1.aspx

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0334035

https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

Plugin Details

Severity: Critical

ID: 113431

Type: remote

Published: 11/21/2022

Updated: 12/19/2022

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9874

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2019-9874

Vulnerability Information

CPE: cpe:2.3:a:sitecore:*:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/16/2019

Reference Information

CVE: CVE-2019-9874, CVE-2019-9875