Sitecore Experience Manager and Experience Platform Sensitive Information Disclosure Vulnerability

A vulnerability allowing unauthorized access to sensitive information has been identified in Sitecore Experience Manager (XM) versions 9.2 through 10.4 and Experience Platform (XP) versions 9.2 through 10.4. This vulnerability arises from the exposure of the ItemServices API, which can be accessed without proper authorization, leading to information disclosure.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive information through the ItemServices API, potentially leading to further exploitation of the application.

Reproduction

The vulnerability can be reproduced by sending a request to the exposed ItemServices API without authentication. If the API is accessible and returns data, the vulnerability is present. Additionally, if the API is exposed under a restricted user that limits visibility of items, this can be bypassed by crafting a search query that exploits this restriction, such as using wildcard characters to enumerate items.

Remediation

Sitecore has released patches for this vulnerability. Instructions for applying the patch can be found in the Sitecore Security Bulletin SC2025-004.