PT-2019-13367 · Sitecore · Sitecore

Published

2019-07-17

Updated

2019-07-18

CVE-2019-13493

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Sitecore version 9.0 rev 171002

Description The issue exists in the Media Library and File Manager of the affected software, where an authenticated unprivileged user can inject arbitrary JavaScript by modifying the uploaded file extension parameter, resulting in a Persistent XSS condition.

Recommendations For Sitecore version 9.0 rev 171002, consider restricting access to the Media Library and File Manager to minimize the risk of exploitation until a patch is available. Avoid using the file extension parameter in the affected modules until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-13493

Affected Products

Sitecore

PT-2019-13367 · Sitecore · Sitecore

CVE-2019-13493

Weakness Enumeration

Related Identifiers

Affected Products

References · 4