Back to KEVs

CVE-2019-9875

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by...

Basic Information

CVE State
PUBLISHED
Reserved Date
March 19, 2019
Published Date
May 31, 2019
Last Updated
March 26, 2025
Vendor
n/a
Product
n/a
Description
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

CVSS Scores

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2025-03-26 00:00:00 UTC) Source

References

https://dev.sitecore.net/Downloads.aspx https://www.synacktiv.com/blog.html https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf

Known Exploited Vulnerability Information

Source Added Date
CISA 2025-03-26 00:00:00 UTC