CVE-2019-9875

CVSS 8.8 HIGHEPSS 14.2%● KEVCWE-502

In short

A flaw in Sitecore's CSRF protection allows an authenticated attacker to execute arbitrary code by sending specially crafted serialized data. This happens because the system deserializes untrusted data without proper validation.

Technical detail

CWE-502 unsafe deserialization in Sitecore's anti-CSRF module permits code execution via malicious serialized .NET objects in POST parameters. Attack requires prior authentication and exploits the absence of integrity checks on deserialized payloads, leading to arbitrary code execution on the server.

Summary generated and translated by AI from the official description.

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dev.sitecore.net/Downloads.aspx https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9875 https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf