CVE-2019-12440
CRITICALSitecore Rocks < 2.1.149 - Unauthenticated Remote Code Execution via Hard Rocks Service
Title source: llmDescription
The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an unauthenticated threat actor to inject malicious commands and code via the Sitecore Rocks Hard Rocks Service.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_misc
https://kb.sitecore.net/articles/842902
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Sitecore/Sitecore.Rocks/releases/tag/2.1.149
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sitecore/Sitecore.Rocks/compare/be79dcc...bd9ba6a
Scores
CVSS v3
9.8
EPSS
0.0213
EPSS Percentile
79.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
sitecore/rocks
< 2.1.149
Published
May 29, 2019
Tracked Since
Feb 18, 2026