CVE-2021-42237

critical

Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

References

http://sitecore.com

https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776

https://blog.assetnote.io/2021/11/02/sitecore-rce/

http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html

Details

Source: MITRE

Published: 2021-11-05

Updated: 2021-12-03

Type: CWE-502

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL