Remote Code Execution via Deserialization in Sitecore Experience Platform (XP) prior to 9.1.1

Remote Code Execution via Deserialization in Sitecore Experience Platform (XP) prior to 9.1.1

CVE-2019-11080 · HIGH Severity

AV:N/AC:L/AU:S/C:C/I:C/A:C

Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.

Learn more about our User Device Pen Test.