The information on the latest update
We are reporting a Critical vulnerability (SC2016-003-136430), for an open-source component (Sitecore PowerShell Extensions), which Sitecore Experience Accelerator is dependent upon. You are also at risk if you used the open-source Sitecore PowerShell Extensions module in other projects.
Note that the Sitecore PowerShell Extensions module is not distributed with Sitecore software and is not a part of the default Sitecore Installation.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the recommended fix to all affected Sitecore systems.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: Severity Definitions for Security Vulnerabilities.
Versions affected
Vulnerability 2016-003-136430 affects the following versions of Sitecore that have the Sitecore PowerShell Extensions module installed:
This vulnerability impacts all Sitecore systems running the above-mentioned versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content management, reporting, processing, publishing, and so on). It also impacts Sitecore-based intranet sites.
For Sitecore CMS 7.0–7.2 and Sitecore XP 7.5, download and install Release 4.7 of Sitecore PowerShell Extensions that is available here: https://github.com/SitecorePowerShell/Console/releases/tag/4.7.
For Sitecore XP 8.0–8.2, download and install Release 5.0 of Sitecore PowerShell Extensions that is available here: https://github.com/SitecorePowerShell/Console/releases/tag/5.0.
This applies to Sitecore solutions both with or without Sitecore Experience Accelerator installed.
For additional information, see the following: