Umbraco.CMS
NuGet13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting Umbraco.CMSpage 1 of 1
- CVE-2015-8813HIGHCVSS 8.2EG 8.2✓ Fixed in 7.4.02017-03-03
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.
- CVE-2015-8814HIGHCVSS 8.8EG 8.8✓ Fixed in 7.4.02017-03-03
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file.
- CVE-2023-38694LOWCVSS 3.5EG 3.5✓ Fixed in 12.1.02023-12-12
vulnerable: 11.0.0 ... 12.1.0-rc (24 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is…
- CVE-2023-48227MEDIUMCVSS 4.3EG 4.3✓ Fixed in 12.3.02023-12-12
vulnerable: 11.0.0 ... 12.3.0-rc (30 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some s…
- CVE-2023-48313MEDIUMCVSS 4.3EG 4.3✓ Fixed in 12.3.42023-12-12
vulnerable: 11.0.0 ... 12.3.3 (34 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or…
- CVE-2023-49089HIGHCVSS 7.7EG 7.7✓ Fixed in 12.3.42023-12-12
vulnerable: 11.0.0 ... 12.3.3 (34 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of th…
- CVE-2023-49273MEDIUMCVSS 5.4EG 5.4✓ Fixed in 12.3.42023-12-12
vulnerable: 11.0.0 ... 12.3.3 (34 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10…
- CVE-2023-49274LOWCVSS 3.7EG 3.7✓ Fixed in 12.3.42023-12-12
vulnerable: 11.0.0 ... 12.3.3 (34 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Ver…
- CVE-2023-49278MEDIUMCVSS 5.3EG 5.3✓ Fixed in 12.3.42023-12-12
vulnerable: 11.0.0 ... 12.3.3 (34 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain …
- CVE-2023-49279LOWCVSS 3.7EG 3.7✓ Fixed in 12.2.02023-12-12
vulnerable: 12.0.0 ... 12.2.0-rc (7 versions)
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user…
- CVE-2024-48925NONECVSS 0.0EG 0.0✓ Fixed in 14.3.02024-10-22
vulnerable: 14.0.0 ... 14.3.0-rc (11 versions)
Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve inform…
- CVE-2024-48926MEDIUMCVSS 4.2EG 4.2✓ Fixed in 10.8.72024-10-22
vulnerable: 10.0.0 ... 10.8.6 (33 versions)
Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout…
- CVE-2024-48929MEDIUMCVSS 4.2EG 4.2✓ Fixed in 10.8.72024-10-22
vulnerable: 10.0.0 ... 10.8.6 (33 versions)
Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Vers…
Check whether Umbraco.CMS is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for Umbraco.CMS CVEs against the assets you own.
Start Free Scan →