Name of the Vulnerable Software and Affected Versions:

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4

Description:

A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution. The vulnerability is a Zip Slip vulnerability, which enables an attacker to write files arbitrarily on the system.

Recommendations:

For versions 9.0 through 9.3 and 10.0 through 10.4, consider disabling the ZIP upload functionality until a patch is available to prevent exploitation of the Zip Slip vulnerability. Restrict access to the affected API endpoint that allows ZIP archive uploads to minimize the risk of exploitation. Avoid using the parameter related to ZIP file uploads in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.