cbcvebase.
CVE-2024-46938
published 2024-09-15

CVE-2024-46938: An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.08%
98.7th percentile
An issue was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) 8.0 Initial Release through 10.4 Initial Release. An unauthenticated attacker can read arbitrary files.

Affected

3 ranges
VendorProductVersion rangeFixed in
sitecoreexperience_commerce8.0 – 10.4
sitecoreexperience_manager8.0 – 10.4
sitecoreexperience_platform8.0 – 10.4

Detection & IOCsextracted from sources · hover to see the quote

sigma
contains(content_type, "text/javascript") AND status_code == 200
  • CVE-2024-46938 is an unauthenticated arbitrary file read in Sitecore XP/XM/XC 8.0 through 10.4 Initial Release. Detection logic targets HTTP responses with content-type containing 'text/javascript' and a 200 status code, likely reflecting server-side file content being returned to an unauthenticated requester.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.