GitHub_MCVE-2023-49279CVE-2023-49279
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
13.3%
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| umbraco | umbraco_cms | * | cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "umbraco",
"product": "Umbraco-CMS",
"versions": [
{
"version": ">= 7.0.0, < 7.15.11",
"status": "affected"
},
{
"version": ">= 8.0.0, < 8.18.9",
"status": "affected"
},
{
"version": ">= 9.0.0-rc001, < 10.7.0",
"status": "affected"
},
{
"version": ">= 11.0.0-rc1, < 11.5.0",
"status": "affected"
},
{
"version": ">= 12.0.0-rc1, < 12.2.0",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
13.3%