Security Bulletin SC2020-002-293863

  • This article reports a Medium vulnerability (SC2020-002-293863) in Sitecore software, for which there is a fix available.

    This relates to a previously disclosed Critical vulnerability (SC2019-002-312864) in Sitecore software, for which a fix was made available in March 2019.

    Medium vulnerability SC2020-002-293863 allows an authenticated threat actor to inject malicious commands and code, thus compromising the security controls.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems. In the event that customers are unable to apply the Solution immediately, Sitecore suggests that customers apply the Alternative Workaround in the interim and identify a way to apply the Solution.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:

  • Versions affected

    Vulnerability SC2020-002-293863 affects following Sitecore XP versions:

    • Sitecore XP 9.1 Initial Release
    • Sitecore XP 9.0 Update-2
    • Sitecore XP 9.0 Update-1
    • Sitecore XP 9.0 Initial Release

    This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.).

    A hotfix is available for all affected Sitecore XP versions.

    Versions not affected

    Sitecore XP versions 9.1 Update-1 and later are not affected by this vulnerability.

    Sitecore XP versions 8.2 and earlier are not affected by this vulnerability.

    Important note!

    Sitecore XP versions 8.2 and earlier are affected by the related Critical vulnerability SC2019-002-312864. Sitecore recommends immediately applying a fix for Critical vulnerability SC2019-002-312864 which is documented in the following security bulletin:

  • Install the hotfix by performing the following steps:
    1. Open the \App_Config\Sitecore\AntiCSRFModule\Sitecore.AntiCsrf.config file.
    2. Under the configuration/sitecore/AntiCsrf/rules/rule[@name="shell"] node add the following:
      <ignore contains="/sitecore/shell/Applications/Tools/Installer/InstallationWizard" />
    3. Change the configuration/sitecore/AntiCsrf/rules/rule[@name="xaml-controls"] node in the following way:
      <rule name="xaml-controls1">
      <ignore contains="/sitecore/shell/~/xaml/Installer.AddSecuritySourceDialog"/> … <ignore contains="/sitecore/shell/~/xaml/Sitecore.Shell.Applications.MarketingAutomation.Dialogs.ActionEditors.SubtractFromVisitProfile.aspx"/>
      <rule name="xaml-controls2"> <urlPrefix>/sitecore/shell/-/xaml/</urlPrefix>
      <ignore contains="/sitecore/shell/-/xaml/Installer.AddSecuritySourceDialog"/> … <ignore contains="/sitecore/shell/-/xaml/Sitecore.Shell.Applications.MarketingAutomation.Dialogs.ActionEditors.SubtractFromVisitProfile.aspx"/>
      Note: the initial "xaml-controls" rule node should be split into two. The "urlPrefix" node containing a dash symbol should be added to the second "rule" node.

    4. Open the \App_Config\Sitecore\Marketing.Xdb.MarketingAutomation.Tracking\Sitecore.Xdb.MarketingAutomation.Tracking.config file.
    5. Change the <rule name="xaml-controls"> vnode in the following way:
      <rule name="xaml-controls1">
          <ignore contains="/sitecore/shell/~/xaml/Sitecore.Shell.Applications.Rules.MarketingAutomation.SelectPlanActivity" />
      <rule name="xaml-controls2"> <ignore contains="/sitecore/shell/-/xaml/Sitecore.Shell.Applications.Rules.MarketingAutomation.SelectPlanActivity" /> </rule>
      Note: the initial "xaml-controls" rule node should be split into two. The URL with tilde (~) in first rule and the URL with dash (-) symbol should be added to the second "rule" node.
    6. Install the following hotfix via Package Installation Wizard: SC Hotfix 313001-1 Security.AntiCsrf 1.1.1.
      This hotfix replaces existing files. When asked what to do, allow the installation wizard to overwrite the existing files.
    To verify that the fix has been applied successfully, check the "Product version" property of the Sitecore.Security.AntiCsrf.dll assembly. It should be "1.1.1-r00011-e000b86 Hofix 313001-1".
  • If full solution cannot be applied right away, the following temporary workaround can be used on all affected Sitecore instances to secure them from the vulnerability.

    To temporary address the vulnerability, deny access to the \Website\sitecore\shell folder on all Sitecore instances in all your Sitecore environments.

    1. Go to your Sitecore web application in the Internet Information Services (IIS) Manager application.
    2. Select \sitecore\shell folder.
    3. Click the .NET Authorization Rules:

    4. Click Add Deny Rule… in the Actions panel:

    5. Select All users and OK:

    Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

    If content editing functionality cannot be temporary disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses which malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see

    • 02-Apr-2020: Article published.
    • 14-Apr-2020: Hotfix installation instructions were updated. The hotfix package remains the same. If the hotfix has been applied using old instructions, your installation is secure and no further action is required. However, using the "Select roles" dialog in the User Manager application could result in the "The data could not be loaded" error. To fix the error, apply steps 1-3 from the Solution section of this article.
    • 17-Apr-2020: Step #3 of the Solution section was updated to fully address the error with the User Manager application mentioned above. The hotfix package remains the same and your installation remains secure in case the hotfix has been applied using old instructions.
    • 01-May-2020: Steps describing changes in the Sitecore.Xdb.MarketingAutomation.Tracking.config file were added to fix an issue with xDB config files merging. The hotfix package remains the same and your installation remains secure in case the hotfix has been applied using old instructions.

Applies to:

CMS 9.0 - 9.1 Initial Release

CMS 9.1 Update-1

April 02, 2020
May 08, 2020


  • Security Vulnerabilities