CVE-2024-46938

Name of the Vulnerable Software and Affected Versions Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) versions 8.0 through 10.4

Description An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC), allowing an unauthenticated attacker to read arbitrary files. This issue can lead to pre-authentication remote code execution (RCE). The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) versions 8.0 through 10.4, update to a version later than 10.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files until a patch is available. Avoid using any potentially vulnerable functions or parameters in the affected API endpoints until the issue is resolved. At the moment, there is no other information about additional mitigation measures.