Security Bulletin SC2019-001-302938

  • In this security bulletin we bring you information on new security-related developments at Sitecore.

    We are reporting a Critical vulnerability (SC2019-001-302938), for which there is a fix available.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:

  • Versions affected

    Vulnerability SC2019-001-302938 affects all versions of Sitecore XP 8.2, all versions of XP 9.0, and Initial Release of XP 9.1.

    Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.), which are exposed to the internet and have the pages under /sitecore/admin path accessible to Sitecore users.

    A hotfix/patch is available for all affected Sitecore XP versions.

    Versions not affected

    Sitecore CMS/XP versions 6.3—8.1 are not vulnerable.

    Sitecore xDB Cloud environments are not affected.

    The issue has been fixed in Sitecore XP 9.1 Update-1.

  • Apply the following patch (compatible with all affected versions): Sitecore.Support.302938-

    Note: see the readme.html file inside the archive for installation instructions.

    • Article update (29-May-19): the issue has been fixed in Sitecore XP 9.1 Update-1.
    • Article update (11-Sep-19): a link to Security Bulletins RSS Feed was added.
    • Article update (30-Sep-19): corrected a typo in the patch link.

Applies to:

CMS 8.2 Initial Release - 9.1 Initial Release

January 16, 2019
September 30, 2019

Reference number: