NuGet package
umbraco.cms
pkg:nuget/umbraco.cms
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-49089 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10 | ||
| CVE-2023-48313 | — | >= 10.0.0, < 10.8.1 | 10.8.1 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 | ||
| CVE-2023-48227 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 1 | ||
| CVE-2023-38694 | — | >= 8.0.0, < 8.18.10 | 8.18.10 | Dec 12, 2023 | Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, | ||
| CVE-2015-8814 | Hig | 8.8 | < 7.4.0 | 7.4.0 | Mar 3, 2017 | Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file. | |
| CVE-2015-8813 | Hig | 8.2 | < 7.4.0 | 7.4.0 | Mar 3, 2017 | The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter. |
- CVE-2023-49089Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10
- CVE-2023-48313Dec 12, 2023affected >= 10.0.0, < 10.8.1fixed 10.8.1
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4
- CVE-2023-48227Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 1
- CVE-2023-38694Dec 12, 2023affected >= 8.0.0, < 8.18.10fixed 8.18.10
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0,
- affected < 7.4.0fixed 7.4.0
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.
- affected < 7.4.0fixed 7.4.0
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.
Page 2 of 2