PT-2023-24434 · Sitecore · Sitecore Experience Platform
Dylan Pindur
·
Published
2023-06-06
·
Updated
2025-01-08
·
CVE-2023-33653
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sitecore Experience Platform (XP) version 9.3
Description
The issue is related to an authenticated remote code execution via the /Applications/Content Manager/Execute.aspx component, specifically when the
cmd parameter is set to convert and the mode parameter is set to HTML.Recommendations
For Sitecore Experience Platform (XP) version 9.3, consider restricting access to the /Applications/Content Manager/Execute.aspx endpoint to minimize the risk of exploitation. Avoid using the
cmd parameter with the convert value and the mode parameter with the HTML value in the Execute.aspx endpoint until the issue is resolved.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Sitecore Experience Platform