CVE-2015-10142

Summary

Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

Affected Software

VendorProductVersion RangeStatus
SitecoreExperience Platform (XP)0 < 8.0 Initial Release (rev. 141212)affected
SitecoreContent Management System (CMS)0 < 7.2 Update-3 (rev. 141226)affected
SitecoreContent Management System (CMS)0 < 7.5 Update-1 (rev. 150130)affected

Weaknesses

  • CWE-610: CWE-610 Externally Controlled Reference to a Resource in Another Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References