<ul data-eligibleForWebStory="true"><li>The Sitecore Experience Platform, a popular CMS, had vulnerabilities that allowed threat actors to take over vulnerable servers.</li><li>One of the vulnerabilities was a hardcoded password for an internal user, making it easy to guess.</li><li>Malicious users could authenticate via an alternate login path to gain access to internal endpoints.</li><li>A 'Zip Slip' flaw in Sitecore Upload Wizard allowed authenticated attackers to upload malicious files.</li><li>Attackers could write arbitrary files in the webroot due to insufficient path sanitation.</li><li>With the Sitecore PowerShell Extensions module installed, attackers could achieve a 'reliable RCE'.</li><li>Around 22,000 publicly exposed Sitecore instances are vulnerable, from versions 10.1 to 10.4.</li><li>It is advised to patch immediately as attackers could potentially exploit these vulnerabilities.</li><li>No reports of abuse have been seen in the wild, but users are recommended to update as soon as possible.</li></ul>

One of the world's most popular CMS tools has an embarrassing security flaw, so patch immediately

Discover more