Description

This article reports Medium vulnerabilities (SC2025-004), for which there is a solution available. Successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information.

We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

The vulnerability impacts the following Sitecore products:

Sitecore Products	Impact
Experience Manager (XM)	Impacted*
Experience Platform (XP)
Experience Commerce (XC)
Managed Cloud	Impacted**
XM Cloud	Not impacted
Content Hub	Not impacted
CDP and Personalize	Not impacted
OrderCloud	Not impacted
Storefront (formerly Four51 Storefront)	Not impacted
Send	Not impacted
Discover	Not impacted
Search	Not impacted
Commerce Server	Not impacted

* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release to 10.4 Initial Release. PaaS solutions and containerized solutions are also affected.
** Managed Cloud customers who run the affected Experience Platform versions are affected and should follow their documented procedures for the application of the appropriate patches. Managed Cloud Premium customers are able to reach out to their named Solutions Engineer to receive direct support with patch installation.

This Security Bulletin might be updated as further details are discovered;  the History of updates section will provide a detailed list of all changes.

If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.

Solution

To mitigate the vulnerability, it is recommended to apply the following fixes to the affected Sitecore systems depending on your deployment. Note that the Solution includes separate fixes for XP and SXA module. 

• For On-Prem and PaaS (regardless the presence of the SXA module installed), for Sitecore 9.2.0 and later versions proceed with the below instructions for  Standalone, Content Delivery, Content Management, and EXM Dispatch (if applicable) servers:
  • Download and unpack the Sitecore.Support.PDXP-11460.zip archive
  • Place the Sitecore.Support.PDXP-11460.dll to the \bin folder.
  • Place the Sitecore.Support.PDXP-11460.config to the \App_Config\Include\zzz folder.
    
    
• If the SXA module is installed, also apply the corresponding cumulative hotfix:
  • For Sitecore 9.2 and SXA 1.9.0: from KB1001753
  • For Sitecore 9.3 and SXA 9.3.0: from KB1001754
  • For Sitecore 10.0 and SXA 10.0.0: from KB1001755
  • For Sitecore 10.1 and SXA 10.1: from KB1001756
  • For Sitecore 10.2 and SXA 10.2: from KB1001757
  • For Sitecore 10.3 and SXA 10.3: from KB1002845
  • For Sitecore 10.4 and SXA 10.4: from KB1003459
    
    

FAQ

If we use Azure Marketplace to install the instance soon, for example 10.3, will it include fixes mentioned above or will we still need to apply it manually? Are fixes automatically rolled in the Azure Marketplace?
No, fixes aren't automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.

Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.

History of updates

• 11-Jul-2025: published the article.