Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Sitecore Experience Manager (XM) by Sitecore

    CVE-2025-53692 (GCVE-0-2025-53692)

    Vulnerability from nvd – Published: 2025-09-21 19:42 – Updated: 2025-09-22 17:27
    VLAI
    Title
    Sitecore Experience Platform Cross-Site Scripting Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-21 19:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-22T17:27:03.884556Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-22T17:27:11.080Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-09-21T19:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-21T19:42:46.643Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003734"
            },
            {
              "url": "https://labs.watchtowr.com/disclosed-vulnerabilities/"
            },
            {
              "url": "https://chudypb.github.io/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sitecore Experience Platform Cross-Site Scripting Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53692",
        "datePublished": "2025-09-21T19:42:46.643Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-22T17:27:11.080Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53694 (GCVE-0-2025-53694)

    Vulnerability from nvd – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:57
    VLAI
    Title
    Information Disclosure in ItemServices API
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53694",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:57:48.453027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:57:58.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-112",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-112 Brute Force"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:37.520Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003734"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Information Disclosure in ItemServices API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53694",
        "datePublished": "2025-09-03T12:36:37.520Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:57:58.828Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53693 (GCVE-0-2025-53693)

    Vulnerability from nvd – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:53
    VLAI
    Title
    HTML Cache Poisoning through Unsafe Reflections
    Summary
    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
    Assigner
    Wiz
    Impacted products
    Vendor Product Version
    Sitecore Sitecore Experience Manager (XM) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53693",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:49:59.488662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:53:40.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-141",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-141 Cache Poisoning"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-470",
                  "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:53.745Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "HTML Cache Poisoning through Unsafe Reflections",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53693",
        "datePublished": "2025-09-03T12:36:53.745Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:53:40.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53692 (GCVE-0-2025-53692)

    Vulnerability from cvelistv5 – Published: 2025-09-21 19:42 – Updated: 2025-09-22 17:27
    VLAI
    Title
    Sitecore Experience Platform Cross-Site Scripting Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-21 19:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53692",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-22T17:27:03.884556Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-22T17:27:11.080Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-09-21T19:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cross-Site Scripting (XSS).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-21T19:42:46.643Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003734"
            },
            {
              "url": "https://labs.watchtowr.com/disclosed-vulnerabilities/"
            },
            {
              "url": "https://chudypb.github.io/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sitecore Experience Platform Cross-Site Scripting Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53692",
        "datePublished": "2025-09-21T19:42:46.643Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-22T17:27:11.080Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53693 (GCVE-0-2025-53693)

    Vulnerability from cvelistv5 – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:53
    VLAI
    Title
    HTML Cache Poisoning through Unsafe Reflections
    Summary
    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
    Assigner
    Wiz
    Impacted products
    Vendor Product Version
    Sitecore Sitecore Experience Manager (XM) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Sitecore Experience Platform (XP) Affected: 9.0 , ≤ 9.3 (semver)
    Affected: 10.0 , ≤ 10.4 (semver)
    Create a notification for this product.
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53693",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:49:59.488662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:53:40.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "9.3",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-141",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-141 Cache Poisoning"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-470",
                  "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:53.745Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "HTML Cache Poisoning through Unsafe Reflections",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53693",
        "datePublished": "2025-09-03T12:36:53.745Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:53:40.699Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53694 (GCVE-0-2025-53694)

    Vulnerability from cvelistv5 – Published: 2025-09-03 12:36 – Updated: 2025-09-03 13:57
    VLAI
    Title
    Information Disclosure in ItemServices API
    Summary
    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Wiz
    Impacted products
    Date Public
    2025-09-03 11:00
    Credits
    Piotr Bazydlo of watchTowr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53694",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-03T13:57:48.453027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-03T13:57:58.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sitecore Experience Manager (XM)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Experience Platform (XP)",
              "vendor": "Sitecore",
              "versions": [
                {
                  "lessThanOrEqual": "10.4",
                  "status": "affected",
                  "version": "9.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Piotr Bazydlo of watchTowr"
            }
          ],
          "datePublic": "2025-09-03T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).\u003cp\u003eThis issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4.\u003c/p\u003e"
                }
              ],
              "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP).This issue affects Sitecore Experience Manager (XM): from 9.2 through 10.4; Experience Platform (XP): from 9.2 through 10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-112",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-112 Brute Force"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-03T12:36:37.520Z",
            "orgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
            "shortName": "Wiz"
          },
          "references": [
            {
              "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/"
            },
            {
              "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003734"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Information Disclosure in ItemServices API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9947ef80-c5d5-474a-bbab-97341a59000e",
        "assignerShortName": "Wiz",
        "cveId": "CVE-2025-53694",
        "datePublished": "2025-09-03T12:36:37.520Z",
        "dateReserved": "2025-07-08T14:21:02.029Z",
        "dateUpdated": "2025-09-03T13:57:58.828Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }