CVE-2009-4367

EUVD-2009-4335
The Staging Webservice ("sitecore modules/staging/service/api.asmx") in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and (1) upload files, (2) download files, (3) list directories, and (4) clear the server cache via crafted SOAP requests with arbitrary Username and Password values, possibly related to a direct request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
sitecorestaging_module
𝑥
≤ 5.4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://osvdb.org/61147
http://secunia.com/advisories/37763
http://www.exploit-db.com/exploits/10513
http://www.securityfocus.com/archive/1/508529/100/0/threaded
http://www.securityfocus.com/bid/37388
https://exchange.xforce.ibmcloud.com/vulnerabilities/54881
https://www.sec-consult.com/files/20091217-0_sitecore_StagingModule_1.0.txt
http://osvdb.org/61147
http://secunia.com/advisories/37763
http://www.exploit-db.com/exploits/10513
http://www.securityfocus.com/archive/1/508529/100/0/threaded
http://www.securityfocus.com/bid/37388
https://exchange.xforce.ibmcloud.com/vulnerabilities/54881
https://www.sec-consult.com/files/20091217-0_sitecore_StagingModule_1.0.txt