More than 22,000 instances of the widely used content management system Sitecore Experience Platform could be hijacked in intrusions chaining a trio of security flaws, according to The Register.
First of the vulnerabilities is a hardcoded credentials issue that enabled the immediate brute-forcing of internal accounts' hardcoded password set to "b," which when combined with the second path traversal bug allowed remote code execution on susceptible Sitecore Experience Platform instances, a report from watchTowr researchers revealed. Attackers with the external Sitecore PowerShell Extension could also leverage the first vulnerability and the third unrestricted file upload defect to enable RCE. "When one installs Sitecore, the installer asks you if you want to install the SXA alongside. You should expect many environments to have the PowerShell Extensions installed, but not all," said watchTowr researchers. All of the flaws have already been addressed by Sitecore in patches issued last month.
First of the vulnerabilities is a hardcoded credentials issue that enabled the immediate brute-forcing of internal accounts' hardcoded password set to "b," which when combined with the second path traversal bug allowed remote code execution on susceptible Sitecore Experience Platform instances, a report from watchTowr researchers revealed. Attackers with the external Sitecore PowerShell Extension could also leverage the first vulnerability and the third unrestricted file upload defect to enable RCE. "When one installs Sitecore, the installer asks you if you want to install the SXA alongside. You should expect many environments to have the PowerShell Extensions installed, but not all," said watchTowr researchers. All of the flaws have already been addressed by Sitecore in patches issued last month.
