CVE-2019-9874

CVSS 9.8 CRITICALEPSS 83.9%● KEVCWE-502

In short

A security flaw in Sitecore CMS allows attackers to send specially crafted data that tricks the system into running malicious code without needing a login. This happens through the anti-CSRF protection feature, which should block unwanted requests but instead opens a backdoor.

Technical detail

Unsafe deserialization of untrusted .NET objects in the Sitecore.Security.AntiCSRF module enables remote code execution via the __CSRFTOKEN POST parameter. An unauthenticated attacker can serialize a malicious .NET gadget chain and execute arbitrary code with application privileges, affecting Sitecore CMS 7.0–7.2 and XP 7.5–8.2.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dev.sitecore.net/Downloads.aspx https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874 https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf