Security in Sitecore is always evolving, and if you're not keeping an eye on the latest CVEs, you might find yourself on the wrong end of a security bulletin scramble.
Recently, a set of CVEs related to Sitecore PageDesigner have resurfaced with an increased severity rating from NIST (National Institute of Standards and Technology, the U.S. agency responsible for maintaining the National Vulnerability Database and setting cybersecurity standards), prompting the question:
Are these vulnerabilities already covered in Sitecore's official security bulletin SC2024-001-619349?
The short answer: not entirely. But let's break it down.
The CVEs in Question
Back in March 2023, security researchers uncovered a set of zero-day vulnerabilities in Sitecore PageDesigner that could allow attackers to exploit weaknesses in how Sitecore handles file paths and serialized data.
These vulnerabilities were later classified under three CVE (Common Vulnerabilities and Exposures) IDs:
- CVE-2023-27066 - Directory Traversal: Allows authenticated attackers to download arbitrary files via UrlHandle.
- CVE-2023-27067 - Directory Traversal: Allows remote attackers to download arbitrary files via a crafted request to download.aspx.
- CVE-2023-27068 - Deserialization of Untrusted Data: Enables remote attackers to execute arbitrary code through ValidationResult.aspx
How These Vulnerabilities Work
However, a flaw in Sitecore’s internal UrlHandle mechanism made it possible for an attacker to forge requests that bypassed these protections.
Why These CVEs Matter Now
At the time of discovery, the recommended fix was to upgrade to Sitecore 10.3.0 rev. 008463 or later. However, as of January 28, 2025, the severity rankings for these three CVEs has been increased.
Sitecore’s Response
After reaching out to Sitecore Support, I got clarification specifically regarding CVE-2023-27067:
CVE-2023-27067 is related to bug #390129, which was fixed in Sitecore 10.3.
Sitecore classifies this issue as low priority because it requires an authenticated user to exploit, meaning there is no risk of an anonymous attack.
This CVE is NOT included in Security Bulletin SC2024-001-619349 (KB1003408).
So, while CVE-2023-27067 is real, Sitecore does not consider it critical enough to be included in an official security bulletin.
Workarounds & Mitigation
If upgrading to Sitecore 10.3 isn't an immediate option, Sitecore provides a simple workaround:
🔧 Delete the following file:
- /sitecore/shell/Applications/Layouts/PageDesigner/PageDesigner.xaml.xml
This file is tied to a deprecated layout editor (used for editing ASPX markup), and removing it does not impact any core Sitecore functionality.
For those running older Sitecore versions <10.3, this is a quick and effective way to mitigate risk until an upgrade is possible.
Final Thoughts
It’s easy to assume that a security bulletin will cover every vulnerability, but in this case, SC2024-001-619349 (KB1003408) does NOT include CVE-2023-27067. However, the issue was addressed in Sitecore 10.3, and for those who haven’t upgraded yet, removing a single deprecated file provides an immediate workaround.
If you haven't yet, check your environment, apply the necessary mitigation, and as always, stay on top of those Sitecore security bulletin updates!
Happy securing! 🔐
