CVE-2009-4367

Name of the Vulnerable Software and Affected Versions Sitecore Staging Module versions 5.4.0 rev.080625 and earlier

Description The issue allows remote attackers to bypass authentication in the Staging Webservice, enabling them to upload files, download files, list directories, and clear the server cache via crafted SOAP requests. This is possibly related to a direct request, and attackers can use arbitrary Username and Password values.

Recommendations For Sitecore Staging Module versions 5.4.0 rev.080625 and earlier, consider disabling the Staging Webservice until a patch is available to prevent exploitation. Restrict access to the api.asmx endpoint to minimize the risk of unauthorized file uploads, downloads, directory listings, and server cache clearance. Avoid using arbitrary Username and Password values in SOAP requests to the affected service.