CVE-2016-8855

MEDIUM

Sitecore Experience Platform 8.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-8855. PoCs published by Pralhad Chaskar.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Sitecore Experience Platform 8.1 Update-3. The vulnerability allows malicious scripts to be injected into the Name and Description fields of a Contact List, which are not properly escaped.

Description

Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. 160519 (8.1 Update-3) allows remote attacks via the Name or Description parameter. This is fixed in 8.2 Update-2.

Exploits (1)

exploitdb WRITEUP
by Pralhad Chaskar · textwebappsaspx
https://www.exploit-db.com/exploits/41618

This is a writeup describing a stored XSS vulnerability in Sitecore Experience Platform 8.1 Update-3. The vulnerability allows malicious scripts to be injected into the Name and Description fields of a Contact List, which are not properly escaped.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Sitecore Experience Platform 8.1 Update-3 (8.1 rev. 160519)
Auth required
Prerequisites: Access to the Sitecore application · Valid credentials to log in · Ability to create or edit a Contact List
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41618/

Scores

CVSS v3 6.1
EPSS 0.0219
EPSS Percentile 80.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
sitecore/experience_platform 8.1 rev._160519
Published Mar 19, 2017
Tracked Since Feb 18, 2026