Sitecore 8.x Deserialization Remote Code Execution

Credit: Jarad Kopf
Risk: High
Local: No
Remote: Yes
CWE: CWE-502

CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Sitecore v 8.x Deserialization RCE # Date: Reported to vendor October 2018, fix released April 2019. # Exploit Author: Jarad Kopf # Vendor Homepage: # Software Link: Sitecore downloads: # Version: Sitecore 8.0 Revision 150802 # Tested on: Windows # CVE : CVE-2019-11080 Exploit: Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. By replacing this parameter with a URL-encoded, base64-encoded crafted payload from, an RCE is successful.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top