CVE-2023-27067: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

A Directory Traversal vulnerability was identified in Sitecore Experience Platform through version 10.2. The vulnerability, tracked as CVE-2023-27067, was disclosed on May 22, 2023, and allows remote attackers to download arbitrary files via crafted commands to download.aspx (NVD, CVE).

The vulnerability is classified as a Path Traversal issue (CWE-22) that enables improper limitation of a pathname to a restricted directory. It received a CVSS v3.1 base score of 7.5 (HIGH), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited remotely with no privileges or user interaction required, and primarily impacts confidentiality (NVD).

The vulnerability allows remote attackers to download arbitrary files from the affected system through crafted commands directed at the download.aspx endpoint. This could potentially lead to unauthorized access to sensitive information stored on the server (NVD).

Users are advised to upgrade to a version newer than Sitecore Experience Platform 10.2. The vulnerability has been addressed in subsequent releases (Sitecore Release Notes).