Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. The list of vulnerabilities, which are yet to be assigned CVE identifiers, is as follows – Use of hard-coded credentials Post-authenticated remote code execution via path traversal Post-authenticated remote code execution via Sitecore PowerShell Extension watchTowr Labs researcher Piotr Bazydlo said the default user account "sitecoreServicesAPI" has a single-character password that's hard-coded to "b." While the user has no roles and permissions assigned in Sitecore, the attack surface management firm found that the credentials could be alternately used against the "/sitecore/admin" API endpoint to sign in as "sitecoreServicesAPI" and obtain a valid session cookie for the user. "While we can't access 'Sitecore Applications' (where a significant portion of functionality is defined) as the ServicesAPI has no roles assigned, we can still: (1) Access a number of APIs, and (2) Pass through IIS authorization rules and directly access some endpoints," Bazydlo explained. This, in turn, opens the door to remote code execution via a zip slip vulnerability that makes it possible to upload a specially crafted ZIP file via the…Read More