CVE-2025-34510

Summary

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Affected Software

VendorProductVersion RangeStatus
SitecoreExperience Manager9.0 <= 9.3affected
SitecoreExperience Manager10.0 <= 10.4affected
SitecoreExperience Platform9.0 <= 9.3affected
SitecoreExperience Platform10.0 <= 10.4affected
SitecoreExperience Commerce9.0 <= 9.3affected
SitecoreExperience Commerce10.0 <= 10.4affected

Weaknesses

  • CWE-23: CWE-23: Relative Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References