CVE-2025-34139
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sitecore | Experience Manager (XM) | 8.0 Initial Release <= 10.4 Initial Release and later | affected |
| Sitecore | Experience Platform (XP) | 8.0 Initial Release <= 10.4 Initial Release and later | affected |
| Sitecore | Experience Commerce (XC) | 8.0 Initial Release <= 10.4 Initial Release and later | affected |
| Sitecore | Managed Cloud | 8.0 Initial Release <= 10.4 Initial Release and later | affected |
Weaknesses
- CWE-522: CWE-522 Insufficiently Protected Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003650
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003661
- https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.