PT-2025-30894 · Sitecore · Sitecore Experience Platform+2
Sitecore
·
Published
2025-07-25
·
Updated
2025-07-25
·
CVE-2025-34139
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Sitecore Experience Manager (XM) versions 8.0 Initial Release through 10.4 Initial Release
Sitecore Experience Platform (XP) versions 8.0 Initial Release through 10.4 Initial Release
Sitecore Experience Commerce (XC) versions 8.0 Initial Release through 10.4 Initial Release
Description
A vulnerability exists that could allow an unauthenticated attacker to read arbitrary files. This issue affects Content Management (CM) and standalone instances, as well as PaaS and containerized solutions, across all Experience Platform topologies.
Recommendations
Update Sitecore Experience Manager (XM) to a version later than 10.4 Initial Release.
Update Sitecore Experience Platform (XP) to a version later than 10.4 Initial Release.
Update Sitecore Experience Commerce (XC) to a version later than 10.4 Initial Release.
Fix
Insufficiently Protected Credentials
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Sitecore Experience Commerce
Sitecore Experience Manager
Sitecore Experience Platform