Sitecore published a security bulletin detailing CVE-2021-42237. The vulnerability is the result of deserializing attacker controlled data originating from an HTTP POST request. An unauthenticated and remote attacker can execute arbitrary commands as nt authority/network service by sending crafted XML to the /sitecore/shell/ClientBin/Reporting/Report.ashx endpoint.
Sitecore issued their advisory in mid-October, and a proof of concept exploit was published by Assetnote on November 2, 2021. However, a CVE was not published until November 5, 2021. At the time of writing, NVD has not yet assigned a CVSS score, but Rapid7 scores the vulnerability as 9.8 (critical).
Public proof of concept exploits exist for this vulnerability. Rapid7, and others, have observed this vulnerability being exploited in the wild by opportunistic attackers. Vulnerable internet facing Sitecore XP installations are at high risk of exploitation.
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings