Description
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- umbraco / Umbraco-CMS>= 13.0.0, < 13.5.2 – >= 13.0.0, < 13.5.2
- umbraco / Umbraco-CMS>= 10.0.0, < 10.8.7 – >= 10.0.0, < 10.8.7
- umbraco / Umbraco-CMS>= 8.0.0, < 8.18.15 – >= 8.0.0, < 8.18.15