CVE-2019-11080
28Vexday Risk Score
No sign of exploitation. It has a public proof of concept.
ssvc Attendepss 14%
from disclosure to weapon7 days
Published on NVDJun 6
1st PoC+7d
exploitation probability
14%top 4% of all CVEs
observed exploitation
nono source reports it
2 public exploit(s)
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/46987unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/153274/Sitecore-8.x-Deserialization-Remote-Code-Execution.htmlhttps://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/91/Sitecore%20Experience%20Platform%2091%20Update1/Release%20Noteshttps://github.com/minecrater/exploits/blob/master/Sitecore8xDeserialRCE