关联漏洞
标题:
Sitecore Experience Manager 安全漏洞
(CVE-2025-53693)
描述:Sitecore Experience Manager(XM)是丹麦Sitecore公司的一个管理软件。 Sitecore Experience Manager 9.0至9.3版本和10.0至10.4版本和Sitecore Experience Platform 9.0至9.3版本和10.0至10.4版本存在安全漏洞,该漏洞源于使用外部控制输入选择类或代码,可能导致缓存投毒。
描述
HTML cache poisoning through unsafe reflections
介绍
### CVE-2025-53693: HTML Cache Poisoning
The XAML handler, located at `/-/xaml/`, exposes several controls that can be accessed without authentication. The `AjaxScriptManager` within these controls allows for the execution of methods via reflection. The `AddToCache` method can be abused to inject arbitrary HTML content into the Sitecore cache, which can then be rendered in other parts of the application.
**Cache Poisoning:** The attacker uses CVE-2025-53693 to poison the cache with a malicious payload.
## Mitigation
Sitecore has released patches for this vulnerabilitie. It is strongly recommended to upgrade to the latest version of Sitecore XP or apply the provided security patches.
## Reference
[1] Watchtowr Labs. (2025). [*Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE*.](https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/)
文件快照
[4.0K] /data/pocs/035dc4629fc7bffe137775ace76b325eaf6f5b4d
├── [ 12K] exploit.py
├── [1.0K] LICENSE
└── [ 918] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。