AOH :: HP Unsorted S :: VA2924.HTM

Sitecore .NET 5.3.x - web service information disclosure



Sitecore .NET 5.3.x - web service information disclosure
Sitecore .NET 5.3.x - web service information disclosure



Title: =09
Sitecore web service information disclosure

CVE Identifier:
____________

Credit: 
National Australia Bank's Security Assurance Team.
The vendor was advised of this vulnerability prior to its public release.  National Australia Bank adheres to the =93Guidelines for Security Vulnerability Reporting and Response V2.0=94 document when issuing security advisories.  

Class: =09
Information Disclosure
Privilege Escalation

Remote:=09
Yes

Local:=09
Yes


Vulnerable:=09
Sitecore.NET 5.3.1 (rev. 071114) =96 other versions may also be vulnerable. 

Not Vulnerable:=09


Vendor:=09
Sitecore

Discussion:
National Australia Bank's Security Assurance Team have identified a vulnerability in the Visual Sitecore Service, part of the Sitecore CMS application, that allows low privileged users to gain access to administrative and other users=92 credentials.

Exploit:
No exploit code provided.   Simple SOAP/XML queries are all that is required.

Solution:
Apply patch V5.3.2 rev. 090212


References:  
Vendor Advisory http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205,-d-,3/ReleaseNotes/V5,-d-,3,-d-,2/ChangeLog.aspx 





The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.