CVE-2019-11080
First published: Thu Jun 06 2019(Updated: )
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sitecore | <9.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html
- https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes
- https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-11080.
What is the title of the vulnerability?
The title of the vulnerability is 'Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization.'
What is the severity of CVE-2019-11080?
The severity of CVE-2019-11080 is critical with a severity value of 8.8.
How does the vulnerability occur?
The vulnerability occurs when an authenticated user with necessary permissions sends a crafted serialized object, allowing remote execution of OS commands.
How can I fix CVE-2019-11080?
To fix CVE-2019-11080, it is recommended to upgrade Sitecore Experience Platform (XP) to version 9.1.1 or later.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sitecore
- canonical/sitecore