CVE-2015-10142 MEDIUM

CVE-2015-10142: Sitecore XP < 8.0 and CMS < 7.2 and < 7.5 File Read via Known Path

Vendor Sitecore
Product Experience Platform (XP)
Weakness CWE-610
Published July 25, 2025
Last update May 15, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

Key dates

02Disclosure timeline

July 25, 2025 CVE published
May 15, 2026 Record updated