Cybersecurity researchers have revealed three security deficiencies on the popular Sitecore Experience (XP) platform that may be chained to achieve pre -proven remote code.
The Sitecore Experience platform – this Software focused on enterprise It gives users tools to manage content, digital marketing, analytics and reports.
The list of vulnerabilities that still have to be assigned to CVE IDs is as follows –
- Using solid credentials
- Following the authenticated remote code on the way through the passage
- Post-aspected Removed Code Through Extension Sitecore PowerShell
Researcher Watchtowr Labs Piotr Bazydlo said The user’s default account “Sitecore \ Servicesapi” has a one -color password that firmly encodes “b“
While the user does not play roles and permits designed in Sitecore, the Attack surface management firm found that the credentials may be in turn to use the final API point “/Sitecore/Admin” to enter as “Sitecore \ Servicesapi” and get real coats for the user.
“While we cannot access” Sitecore Applications “(where a considerable part of functionality is determined) because we can still have the roles: (1) access a number of API, and (2) go through the IIS resolution rules and direct interpret.
This, in turn, opens the door for the remote code through A Lightning’s vulnerability This allows you to download a specially designed mail file via “/Sitecore/shell/applications/upload/upload2.aspx” and causes the contents of the archive (eg, web -affiliate), which will be recorded in the Webroot catalog.
All the sequence of action is given below –
- Authentication as User “Sitecore \ Servicesapi”
- Access to Upload2.aspx
- Download the mail file containing a web -lobby called/• ../
- When asked check the UNZIP option and fill in the boot
- Access to the web –bolon
The third vulnerability is related to the unlimited disadvantage of file upload in the PowerShell extension, which can also be used as a “Sitecore \ Servicesapi” to achieve the remote code through “/Sitecore%20modules/powershell/powershelluploadfile2.aspx”.
Watchtowr noted that the password with solid coding originates within the Sitecore installer, which imports the pre -customized user database with the password of the Servicesapi installed on “B”. This change, according to the company, came into force, starting from version 10.1.
It also means that the operation network works only if the users installed Sitecore using the installers for the versions of ≥ 10.1. Users most likely do not affect when they used to perform the version up to 10.1, and then updated the new vulnerable version, believing that the old database is transferred rather than the database built into the installation package.
With previously disclosedCve-2019-9874 and Cve-2019-9875) It is important for users to apply the last patches, if not yet, to protect against potential cyber spagrosis.
“By default, the latest versions of Sitecore are shipped with a user who had a solid password” B “. This is 2025, and we can’t believe we still have to say it, but it’s very bad,” said Benjamin Harris, CEO and Watchtowr founder, in Hacker News.
“Sitecore has been deployed in thousands of environments, including banks, airlines and global enterprises-that’s the explosion radius here. And no, it’s not theoretically: we launched a full chain at the end.
