Sitecore Experience Manager and Experience Platform Cache Poisoning Vulnerability Allowing Remote Code Execution

A vulnerability allowing HTML cache poisoning has been identified in Sitecore Experience Manager (XM) versions 9.0 through 9.3 and 10.0 through 10.4, as well as in Sitecore Experience Platform (XP) versions 9.0 through 9.3 and 10.0 through 10.4. This vulnerability arises from unsafe reflection, where externally controlled input is used to select classes or code, potentially leading to remote code execution. The issue can be exploited by overwriting HTML cache entries with malicious content, which is then executed in the context of the application.

Impact

Exploitation of this vulnerability allows for unauthorized HTML cache poisoning, which can be used to inject malicious content into cached pages. This injected content can be executed as JavaScript, potentially leading to remote code execution, especially when combined with other vulnerabilities in the application.

Reproduction

The vulnerability can be reproduced by sending a request to the 'Sitecore.Web.UI.XamlSharp.Xaml.XamlPageHandlerFactory' with the 'AddToCache' method. This method can be used to overwrite existing cache entries or add new ones. The 'cacheKey' and 'html' parameters can be customized to target specific cache entries. Once the cache has been poisoned, the injected HTML will be executed when the cached page is accessed.

Remediation

Sitecore has released patches for this vulnerability. Instructions for applying the patch can be found in the Sitecore Knowledge Base articles KB1003667 and KB1003734.