CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-9874

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score65.7670%
EPSS Percentile89.61th
Published2019年5月31日
Last Modified2025年11月7日

Vulnerability Description

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

Affected Platforms (CPE)

📦
Sitecore

Cms

>= 7.0 and <= 7.2
📦
Sitecore

Experience Platform

>= 7.5 and <= 8.2

References & Advisories

🔗 https://dev.sitecore.net/Downloads.aspx
🔗 https://www.synacktiv.com/blog.html
🔗 https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
🔗 https://dev.sitecore.net/Downloads.aspx
🔗 https://www.synacktiv.com/blog.html
🔗 https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874

関連する脆弱性情報

CVE-2005-400710.0

Multiple unspecified vulnerabilities in SAPID CMS before 1.2.3.03, related to newly registered users and possibly authorization ch...

CVE-2005-376410.0

The image gallery (imagegallery) component in Exponent CMS 0.96.3 and later versions does not properly check the MIME type of uplo...

CVE-2020-1518810.0

SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute a...

CVE-2006-160410.0

Unspecified vulnerability in Exponent CMS before 0.96.5 RC 1 has unknown impact and remote attack vectors related to variables tha...