This article reports a critical vulnerability (SC2024-001-619349) in Sitecore software related to the risk of unauthenticated arbitrary file reads, for which there is a solution available.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the solution to all the affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
| Sitecore Products | Impact |
| Experience Manager (XM) | Impacted* |
| Experience Platform (XP) | |
| Experience Commerce (XС) | |
| Managed Cloud | Impacted** |
| XM Cloud | Not impacted |
| Content Hub | Not impacted |
| CDP and Personalize (formerly Boxever) | Not impacted |
| OrderCloud (formerly Four51 OrderCloud) | Not impacted |
| Storefront (formerly Four51 Storefront) | Not impacted |
| Moosend | Not impacted |
| Send | Not impacted |
| Discover (formerly Reflektion) | Not impacted |
| Search | Not impacted |
| Commerce Server | Not impacted |
* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release to 10.4 Initial Release. The issue affects Content Management (CM) and Standalone instances. PaaS solutions and containerized solutions are also affected.
** Managed Cloud customers who run the affected Experience Platform versions are affected. Only Content Management (CM) and Standalone Managed Cloud instances are affected.
This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.
To mitigate the issue, Sitecore recommends you apply the patch below to the affected Sitecore systems. The patch can be used for all impacted product versions from 9.1 Initial Release to 10.4 Initial Release. Follow these installation instructions:
Note that Sitecore is currently preparing hotfixes and they will be ready in a while.
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
The issue impacts only Content Management (CM) and Standalone roles. Apply the above solution to the specified roles.
If we use Azure Marketplace to install XM/XP/XC now, for example 10.3, will it include the hotfix mentioned above or will we still need to apply it manually? Are hotfixes automatically rolled into the Azure Marketplace?
No, hotfixes are not automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.
How can I fix the issue for 9.0.2 or earlier version?
For 9.0.2 and earlier versions, follow these installation instructions:
Considering that 9.0.2 and earlier versions have entered in Sustaining Support Phase and Sitecore does not provide hotfix packages for it, Sitecore recommends upgrading to the later versions and applying the corresponding hotfix.
Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.
Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.