CVE-2025-34139 (GCVE-0-2025-34139)
Vulnerability from cvelistv5
Published
2025-07-25 15:54
Modified
2025-07-25 18:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Sitecore | Experience Manager (XM) |
Version: 8.0 Initial Release < |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-25T18:20:58.705145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T18:21:11.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Experience Manager (XM)",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "10.4 Initial Release and later",
"status": "affected",
"version": "8.0 Initial Release",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Experience Platform (XP)",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "10.4 Initial Release and later",
"status": "affected",
"version": "8.0 Initial Release",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Experience Commerce (XC)",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "10.4 Initial Release and later",
"status": "affected",
"version": "8.0 Initial Release",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Managed Cloud",
"vendor": "Sitecore",
"versions": [
{
"lessThanOrEqual": "10.4 Initial Release and later",
"status": "affected",
"version": "8.0 Initial Release",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sitecore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Sitecore\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Manager (XM),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Platform (XP),\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eExperience Commerce (XC), and\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eManaged Cloud that could allow an unauthenticated attacker to read arbitrary files\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e.\u0026nbsp;\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003e\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eThis vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T15:54:25.297Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003650"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003661"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34139",
"datePublished": "2025-07-25T15:54:25.297Z",
"dateReserved": "2025-04-15T19:15:22.563Z",
"dateUpdated": "2025-07-25T18:21:11.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-34139\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-07-25T16:15:28.913\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability exists in Sitecore\u00a0Experience Manager (XM),\u00a0Experience Platform (XP),\u00a0Experience Commerce (XC), and\u00a0Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad en Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC) y Managed Cloud que podr\u00eda permitir que un atacante no autenticado lea archivos arbitrarios. Esta vulnerabilidad afecta a todas las topolog\u00edas de Experience Platform (XM, XP, XC) desde la versi\u00f3n inicial 8.0 hasta la versi\u00f3n inicial 10.4 y posteriores. Este problema afecta a Content Management (CM) e instancias independientes. Las soluciones PaaS y en contenedores tambi\u00e9n se ven afectadas.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"references\":[{\"url\":\"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003650\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003661\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read\",\"source\":\"disclosure@vulncheck.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-34139\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-25T18:20:58.705145Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-552\", \"description\": \"CWE-552 Files or Directories Accessible to External Parties\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-25T18:21:05.618Z\"}}], \"cna\": {\"title\": \"Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sitecore\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Sitecore\", \"product\": \"Experience Manager (XM)\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0 Initial Release\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"10.4 Initial Release and later\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Experience Platform (XP)\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0 Initial Release\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"10.4 Initial Release and later\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Experience Commerce (XC)\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0 Initial Release\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"10.4 Initial Release and later\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Sitecore\", \"product\": \"Managed Cloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0 Initial Release\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"10.4 Initial Release and later\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003650\", \"tags\": [\"vendor-advisory\", \"patch\"]}, {\"url\": \"https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003661\", \"tags\": [\"vendor-advisory\", \"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/sitecore-xm-xp-xc-managed-cloud-arbitrary-file-read\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability exists in Sitecore\\u00a0Experience Manager (XM),\\u00a0Experience Platform (XP),\\u00a0Experience Commerce (XC), and\\u00a0Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.\\u00a0This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A vulnerability exists in Sitecore\u0026nbsp;\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eExperience Manager (XM),\u0026nbsp;\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eExperience Platform (XP),\u0026nbsp;\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eExperience Commerce (XC), and\u0026nbsp;\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eManaged Cloud that could allow an unauthenticated attacker to read arbitrary files\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003e.\u0026nbsp;\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003e\u003cspan style=\\\"background-color: rgb(254, 254, 254);\\\"\u003eThis vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-07-25T15:54:25.297Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-34139\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-25T18:21:11.575Z\", \"dateReserved\": \"2025-04-15T19:15:22.563Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-07-25T15:54:25.297Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…