Security Bulletin SC2023-001-568150

The information on the latest update


This article reports a Critical vulnerability (SC2023-001-568150) in Sitecore software for which there is a solution available.

This issue is related to the MVC Device Simulator vulnerability which might allow IIS Authorization Rules Bypass.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution to all the affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

The vulnerability impacts the following Sitecore products:

 Sitecore Products  Impact 
 Experience Manager (XM) Impacted*
 Experience Platform (XP)
 Experience Commerce (XС)
 Managed Cloud Impacted**
 XM Cloud Not impacted
 Content Hub Not impacted
 CDP and Personalize (formerly Boxever) Not impacted
 OrderCloud (formerly Four51 OrderCloud) Not impacted
 Storefront (formerly Four51 Storefront) Not impacted
 Moosend Not impacted
 Send Not impacted
 Discover (formerly Reflektion) Not impacted
 Commerce Server Not impacted

* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release;
8.2 Update-7 and earlier versions have not been tested as per Support Lifecycle
** Managed Cloud customers who run the affected Experience Platform versions are affected

This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.


Note that this bulletin is superseded by Security Bulletin SC2023-003-587441. If you have already applied the permanent solution from Security Bulletin SC2023-003-587441, there is no need to apply solution from the current bulletin. 

To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Note that the fixes cover both 568150 and 576660 issues. Follow the installation instructions from the readme file (when available).

As an alternative, apply the below solution to the affected Sitecore systems depending on your deployment. Note that this solution covers only 568150 issue and does not cover 576660 issue.

Note: Disabling the configuration file and removing the assembly have no impact on the MVC Device Simulator functioning. 
The functionality was used in older product versions but became obsolete.


Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the above solution to different roles.

Do I need to disable Sitecore.MVC.DeviceSimulator.config and remove Sitecore.Mvc.DeviceSimulator.dll file when applying the hotfix?
That does not matter because the fix is installed from the hotfix package.

Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.

History Of Updates