Cybersecurity researchers have disclosed three security flaws on the popular Sitecore Experience Platform (XP), which may be chained to achieve pre-recognized remote code execution.
Sitecore Experience Platform is enterprise-oriented software that provides users with tools for content management, digital marketing, and analysis and reporting.
The list of vulnerabilities that have not yet been assigned is:
After using hardcoded credentials, remote code execution after passing through path traversal, Sitecore PowerShell extension
Watchtowr Labs researcher Piotr Bazydlo said the default user account, “Sitecore\Servicesapi,” has a single character password that is hard-coded in “b.”
Although the user does not have the roles and privileges assigned in Sitecore, the attack surface management company has discovered that it can alternately use the “/Sitecore/Admin” API endpoint to sign in as “Sitecore\Servicesapi” and retrieve a valid session cookie for the user.
“You can’t access the ‘Sitecore application’ (if a significant portion of the feature is defined), but Servicesapi is not assigned a role, but (1) accesses many APIs, (2) go through IIS authentication rules and accesses some endpoints directly,” explained Bazydlo.
This opens the door to remote code execution through a Zip Slip Slip vulnerability, allowing you to upload specially created zip files via “/sitecore/shell/application/dialogs/upload/upload2.aspx”.
The entire sequence of actions is shown below –
“SiteCore\ ServicesApi” User Access Upload2.aspx Authenticates to upload ZIP files. This includes the web shell called /\/…/.
The third vulnerability relates to the unlimited file upload flaw in the PowerShell extension. This is also used as a “Sitecore\Servicesapi” user, and is “/sitecore%20modules/shell/powershell/uploadfile/powershelluploadfile2.aspxx”
WatchTowr noted that hardcoded passwords originate from within the SiteCore installer, which imports pre-configured user databases with the ServiceAPI password set to “B”. The company said the change has launched version 10.1.
This also means it only works if the user installs Sitecore using the installer version ≥10.1. Users may not be affected if they were running a version earlier than 10.1, and are upgraded to a new, vulnerable version, assuming that the old database has since been migrated.
Because previously disclosed defects in Sitecore XP are actively exploited in the wild (CVE-2019-9874 and CVE-2019-9875), it is essential that users still apply the latest patches to protect against potential cyber threats.
“By default, recent versions of Sitecore shipped with users with a hardcoding password of ‘B’. It’s 2025 and I can’t believe we still have to say this, but that’s a very bad thing,” Watchtowr CEO and founder Benjamin Harris told Hacker News in a statement.
“Sitecore is deployed in thousands of environments, including banks, airlines and global companies, so the explosion radius here is large. No, this is not theoretical. It’s running end-to-end. If you’re running Sitecore, if it’s not worse than this, it will spin credits and patches just before the attacker reverses the engine.
Source link
