Vulnerability Details : CVE-2023-33651
An issue in the MVC Device Simulator of Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) v9.0 Initial Release to v13.0 Initial Release allows attackers to bypass authorization rules.
Products affected by CVE-2023-33651
- cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:sitecore:experience_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:sitecore:experience_commerce:*:*:*:*:*:*:*:*
- cpe:2.3:a:sitecore:managed_cloud:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-33651
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-33651
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-33651
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-33651
-
https://blog.assetnote.io/2023/05/10/sitecore-round-two/
Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3 – AssetnoteExploit;Third Party Advisory
-
https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925
Security Bulletins - Security Bulletin SC2023-001-568150Vendor Advisory
Jump to