CVE-2019-9874
Published May 31, 2019
Last updated 4 days ago
AI description
CVE-2019-9874 is a deserialization of untrusted data vulnerability that exists in the Sitecore.Security.AntiCSRF module within Sitecore CMS and Experience Platform (XP). Specifically, it affects Sitecore CMS versions 7.0 to 7.2 and Sitecore XP versions 7.5 to 8.2. This vulnerability allows an unauthenticated attacker to execute arbitrary code on a vulnerable system. This is achieved by sending a crafted, serialized .NET object within the `__CSRFTOKEN` HTTP POST parameter.
- Description
- Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 3.0
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Data from CISA
- Vulnerability name
- Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
- Exploit added on
- Mar 26, 2025
- Exploit action due
- Apr 16, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
👀 6-year-old bugs are back and being weaponized. CISA just flagged two 2019 Sitecore RCE flaws (CVE-2019-9874 & 9875) as actively exploited. But it doesn’t stop there: ➡️ Next.js auth bypass (CVE-2025-29927) is under live attack ➡️ DrayTek routers face fresh waves targetin
@achi_tech
29 Mar 2025
47 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
⚠️ Vulnerability Alert: Critical Vulnerabilities in Google Chrome and Sitecore CMS 📅 Timeline: Disclosure: 2025-03-26, Action Due: 2025-04-17 🆔 CVE IDs: CVE-2025-2783, CVE-2019-9874, CVE-2019-9875 📊 Base Scores: CVE-2025-2783: 8.8 (High) CVE-2019-9874: 9.8 (Critical)
@syedaquib77
28 Mar 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
👀 6-year-old bugs are back—and being weaponized. CISA just flagged two 2019 Sitecore RCE flaws (CVE-2019-9874 & 9875) as actively exploited. But it doesn’t stop there: ➡️ Next.js auth bypass (CVE-2025-29927) is under live attack ➡️ DrayTek routers face fresh waves targetin
@Cyber_Crime9
27 Mar 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
👀 6-year-old bugs are back—and being weaponized. CISA just flagged two 2019 Sitecore RCE flaws (CVE-2019-9874 & 9875) as actively exploited. But it doesn’t stop there: ➡️ Next.js auth bypass (CVE-2025-29927) is under live attack ➡️ DrayTek routers face fresh waves targetin
@TheHackersNews
27 Mar 2025
71019 Impressions
37 Retweets
107 Likes
26 Bookmarks
1 Reply
3 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sitecore:cms:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9B358977-D881-4B0A-8F4D-6D1B0BAAB665",
"versionEndIncluding": "7.2",
"versionStartIncluding": "7.0"
},
{
"criteria": "cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BC833020-7B0B-4593-B4B5-C073F01CC0C2",
"versionEndIncluding": "8.2",
"versionStartIncluding": "7.5"
}
],
"operator": "OR"
}
]
}
]