Sitecore 8.x Deserialization Remote Code Execution

Sitecore versions 8.x suffer from a deserialization vulnerability that allows for remote code execution.

MD5 | e987669019c3f7e3a64c75ccc23f404e

# Exploit Title: Sitecore v 8.x Deserialization RCE
# Date: Reported to vendor October 2018, fix released April 2019.
# Exploit Author: Jarad Kopf
# Vendor Homepage:
# Software Link: Sitecore downloads:
# Version: Sitecore 8.0 Revision 150802
# Tested on: Windows
# CVE : CVE-2019-11080


Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section.
When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter.
By replacing this parameter with a URL-encoded, base64-encoded crafted payload from, an RCE is successful.

Related Posts