CVE-2019-11080

HIGH

Sitecore Experience Platform < 9.1.1 - Authenticated Remote Code Execution via Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11080. PoCs published by Jarad Kopf.

AI-analyzed exploit summary This is a writeup describing a deserialization RCE vulnerability in Sitecore 8.0 revision 150802. The exploit involves replacing a CSRF token with a crafted payload from ysoserial.net to achieve remote code execution.

Description

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Exploits (1)

exploitdb WRITEUP

by Jarad Kopf · textwebappsaspx

https://www.exploit-db.com/exploits/46987

View Code ZIP pw:eip

This is a writeup describing a deserialization RCE vulnerability in Sitecore 8.0 revision 150802. The exploit involves replacing a CSRF token with a crafted payload from ysoserial.net to achieve remote code execution.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Sitecore 8.0 Revision 150802

Auth required

Prerequisites: Authentication to Sitecore admin section · Access to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE

View Exploit ZIP pw:eip

Release Notes, Vendor Advisory x_refsource_misc

https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.1420

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (1)

sitecore/experience_platform < 9.1.1

Published Jun 06, 2019

Tracked Since Feb 18, 2026