File Download Vulnerability in Sitecore Experience Platform and CMS
CVE-2015-10142

6.9MEDIUM

Key Information:

Vendor

Sitecore

Status
Experience Platform (xp)
Content Management System (cms)
Vendor
CVE Published:
25 July 2025

What is CVE-2015-10142?

The Sitecore Experience Platform (XP) versions prior to 8.0 Initial Release and Sitecore CMS versions prior to 7.2 Update-3 and 7.5 Update-1 contain a vulnerability that permits an attacker with knowledge of certain file names to download files located within the web root. While the exposure does not permit access to .config, .aspx, or .cs files, the risk of unauthorized file access highlights the need for timely updates and patching to protect sensitive data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Content Management System (CMS) * < 7.2 Update-3 (rev. 141226)

Content Management System (CMS) * < 7.5 Update-1 (rev. 150130)

Experience Platform (XP) * < 8.0 Initial Release (rev. 141212)

References

https://support.sitecore.com/kb?id=kb_article_view&syspar...
vendor-advisorypatch
https://support.sitecore.com/kb?id=kb_article_view&syspar...
vendor-advisorypatch
https://www.vulncheck.com/advisories/sitecore-xp-cms-file...
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sitecore
JSON
.