CVE-2019-9875

2019-05-3120:34:46

mitre

www.cve.org

AI Score

9.2

Confidence

High

EPSS

0.017

Percentile

88.0%

JSON

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

References

dev.sitecore.net/Downloads.aspx

www.synacktiv.com/blog.html

www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf