Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Experience Platform

Source -

CNA

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
3Vulnerabilities found
CVE-2022-4979
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.09% / 26.04%
||
7 Day CHG+0.01%
Published-25 Jul, 2025 | 15:55
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sitecore XP 7.5 - 10.2, CMS 7.2, and Managed Cloud XSS

A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected.

Action-Not Available
Vendor-Sitecore
Product-Content Mangement System (CMS)Managed CloudExperience Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-34510
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-4.32% / 88.46%
||
7 Day CHG-0.22%
Published-17 Jun, 2025 | 18:46
Updated-26 Jun, 2025 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sitecore XM, XC, and XP Post-Auth RCE via Zip Slip

Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing path traversal sequences, allowing arbitrary file writes and leading to code execution.

Action-Not Available
Vendor-Sitecore
Product-Experience PlatformExperience CommerceExperience Manager
CWE ID-CWE-23
Relative Path Traversal
CVE-2025-34509
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-8.2||HIGH
EPSS-0.06% / 19.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 18:20
Updated-22 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sitecore XM and XP Hardcoded Credentials

Sitecore Experience Manager (XM) and Experience Platform (XP) versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access administrative API over HTTP.

Action-Not Available
Vendor-Sitecore
Product-Experience ManagerExperience Platform
CWE ID-CWE-798
Use of Hard-coded Credentials