cbcvebase.
CVE-2019-9875
published 2019-05-31

CVE-2019-9875: Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-16
Exploited in the wild
EPSS
14.15%
96.1th percentile
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
sitecorecms<= 9.1

Detection & IOCsextracted from sources · hover to see the quote

other__CSRFTOKEN
  • Monitor HTTP POST requests containing the __CSRFTOKEN parameter for serialized .NET object payloads (e.g., binary/base64-encoded data inconsistent with a normal CSRF token value), targeting Sitecore CMS/XP endpoints.
  • Focus detection on the Sitecore.Security.AntiCSRF module processing path, as deserialization of untrusted data occurs within this module.
  • Exploitation requires an authenticated session; correlate suspicious __CSRFTOKEN POST activity with valid authenticated Sitecore sessions to prioritize alerts.
  • ·Vulnerability affects Sitecore CMS and Experience Platform (XP) through version 9.1; confirm scope of affected versions before applying detections.
  • ·Vendor mitigation guidance is available; refer to Sitecore KB0038556 for patch/configuration details before relying solely on detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.