Sitecore XP/XM Unrestricted Language File Upload Vulnerability Leading to Code Execution

A vulnerability allowing unrestricted language file uploads has been identified in Sitecore XP/XM version 10.3. This issue arises from the import languages functionality, which can be exploited by authenticated users to upload arbitrary files, such as web shells, that facilitate direct code execution on the content management server.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious code on the server where Sitecore is running.

Reproduction

To reproduce this vulnerability, log into Sitecore 10.3 with valid credentials and navigate to the control panel. From there, access the 'Import Languages' option under the toolbox. Select the temporary folder as the destination for the upload. Choose a web shell, such as one modified to run PowerShell instead of the default command prompt, and upload it. Once the shell is uploaded, it can be accessed and executed via the Sitecore interface, resulting in full code execution on the system.

Remediation

Implement file validation on the language import feature to restrict uploads to safe file types. Additionally, configure the upload directory to disallow code execution and consider adding a rule to the web.config file to block uploads of certain file types or to specific locations within the Sitecore application.