CRITICAL🇵🇱 Wersja polska

CVE-2025-53693

CVSS 9.8v3.1pub. 2025-09-03upd. 2025-09-08

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

🤖 AI Analysis
How it works

The vulnerability results from the use of externally controlled input data to select classes or code in the reflection mechanism (CWE-470). An attacker can provide crafted input that the application uses to dynamically load or execute a class, leading to cache poisoning. The lack of authentication requirements (PR:N, UI:N) means that the exploit can be carried out remotely over the network without any user interaction.

Impact

An attacker can cause cache poisoning, which threatens the confidentiality, integrity, and availability of the system. According to publicly available references, the vulnerability can be escalated to remote code execution (RCE).

Mitigation & patch

Patches available from the vendor should be applied according to the references — details are available in the Sitecore knowledge base article KB1003667. It is recommended to immediately verify the deployed versions and apply available patches.

Who is affected

Sitecore Experience Manager (XM) in versions 9.0 to 9.3 and 10.0 to 10.4; Sitecore Experience Platform (XP) in versions 9.0 to 9.3 and 10.0 to 10.4. Also affects Sitecore Experience Commerce and Sitecore Managed Cloud.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Sitecore Experience Commerce

    APP
    Sitecore
    9.0 – 10.4
  • Sitecore Experience Manager

    APP
    Sitecore
    9.0 – 10.4
  • Sitecore Experience Platform

    APP
    Sitecore
    10.49.0 – 10.4 (bez)
  • Sitecore Managed Cloud

    APP
    Sitecore
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-53690CRITICAL9.0⚠ KEVPL ✓ten sam produkt

Krótki tytuł podatności po polsku (max 80 znaków)

CVE-2021-42237CRITICAL9.8⚠ KEVten sam produkt

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attac...

CVE-2019-9874CRITICAL9.8⚠ KEVten sam produkt

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0...

CVE-2023-35813CRITICAL9.8ten sam produkt

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, ...

CVE-2023-27068CRITICAL9.8ten sam produkt

Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run ...