Deserialization Vulnerability in Sitecore Experience Platform 10.2
CVE-2023-27068

9.8CRITICAL

Key Information:

Vendor: Sitecore
Status: Experience Platform
Vendor: CVE Published:; 23 May 2023

What is CVE-2023-27068?

The Sitecore Experience Platform version 10.2 is susceptible to a deserialization vulnerability that enables remote attackers to execute arbitrary code. This flaw occurs through the improper handling of untrusted data in the ValidationResult.aspx endpoint, potentially allowing an attacker to gain unauthorized control over the affected system. Users and administrators of the Sitecore Experience Platform should apply necessary security patches and follow best practices to mitigate the risk of exploitation.

References

https://dev.sitecore.net/Downloads/Sitecore%20Experience%...

https://www.sitecore.com/products/sitecore-experience-pla...

https://blogs.night-wolf.io/0-day-vulnerabilities-at-site...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2023
Vulnerability Reserved
Feb 27, 2023