CVE-2022-4979

A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 through 10.2, as well as Sitecore CMS 7.2 through 7.2 Update-6. The flaw occurs in the Sitecore Shell interface and stems from insufficient sanitization of user-supplied input, allowing the injection of arbitrary JavaScript code into a page that other authenticated users may view.

To exploit this vulnerability, an attacker must be an authenticated user of the Sitecore Shell. They craft a malicious payload that, when delivered to a victim (also authenticated to the Sitecore Shell), executes in the victim's browser within the context of the vulnerable application. The attack requires user interaction as the victim must access a crafted link or view malicious content. Managed Cloud Standard customers running the affected Sitecore Experience Platform or CMS versions are also impacted [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the browser of the targeted authenticated user. This can lead to actions performed on behalf of the victim within the Sitecore Shell, including data theft, session hijacking, or other malicious operations that affect the confidentiality and integrity of the Sitecore instance.

Sitecore has addressed the issue in newer versions of the affected products. Users are strongly advised to upgrade to a patched release. For Managed Cloud Standard customers, applying the latest updates is recommended to mitigate the risk [1].