Sitecore | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. The list of vulnerabilities, which are yet to be assigned CVE identifiers, is as follows - Use of hard-coded credentials Post-authenticated remote code execution via path traversal Post-authenticated remote code execution via Sitecore PowerShell Extension watchTowr Labs researcher Piotr Bazydlo said the default user account "sitecore\ServicesAPI" has a single-character password that's hard-coded to " b ." While the user has no roles and permissions assigned in Sitecore, the attack surface management firm found that the credentials could be alternately used against the "/sitecore/admin" API endpoi...