CVE-2019-11080

HIGH

Sitecore Experience Platform < 9.1.1 - Insecure Deserialization

Title source: rule

Description

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Exploits (1)

exploitdb WRITEUP

by Jarad Kopf · textwebappsaspx

https://www.exploit-db.com/exploits/46987

View Code ZIP pw:eip

References (3)

[Release Notes, Vendor Advisory] https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Notes

[Exploit, Third Party Advisory] https://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.4177

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

sitecore/experience_platform < 9.1.1

Timeline

Published Jun 06, 2019

Tracked Since Feb 18, 2026