Contains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Contains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.8.0/microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Contains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Contains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.infrastructure.10.0.0.nupkg
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-36414
### Vulnerable Library - azure.identity.1.3.0.nupkgThis is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - microsoft.data.sqlclient.3.0.0.nupkg - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsAzure Identity SDK Remote Code Execution Vulnerability
Publish Date: 2023-10-10
URL: CVE-2023-36414
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36414
Release Date: 2023-10-10
Fix Resolution: Azure.Identity - 1.10.2
CVE-2024-0056
### Vulnerable Library - microsoft.data.sqlclient.3.0.0.nupkgProvides the data provider for SQL Server. These classes provide access to versions of SQL Server an...
Library home page: https://api.nuget.org/packages/microsoft.data.sqlclient.3.0.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.data.sqlclient/3.0.0/microsoft.data.sqlclient.3.0.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - :x: **microsoft.data.sqlclient.3.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsMicrosoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-0056
### CVSS 3 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-98g6-xh36-x2p7
Release Date: 2024-01-09
Fix Resolution: Microsoft.Data.SqlClient - 2.1.7,3.1.5,4.0.5,5.1.3, System.Data.SqlClient - 4.8.6
CVE-2023-49089
### Vulnerable Library - umbraco.cms.infrastructure.10.0.0.nupkgContains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.infrastructure.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.infrastructure.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.
Publish Date: 2023-12-12
URL: CVE-2023-49089
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6324-52pr-h4p5
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Core - 8.18.10, Umbraco.Cms.Infrastructure - 10.8.1,12.3.4
CVE-2024-38095
### Vulnerable Library - system.formats.asn1.6.0.0.nupkgProvides classes that can read and write the ASN.1 BER, CER, and DER data formats. Commonly Used Ty...
Library home page: https://api.nuget.org/packages/system.formats.asn1.6.0.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.formats.asn1/6.0.0/system.formats.asn1.6.0.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - mailkit.3.2.0.nupkg - mimekit.3.2.0.nupkg - system.security.cryptography.pkcs.6.0.1.nupkg - :x: **system.formats.asn1.6.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability Details.NET and Visual Studio Denial of Service Vulnerability
Publish Date: 2024-07-09
URL: CVE-2024-38095
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-447r-wph3-92pm
Release Date: 2024-07-09
Fix Resolution: Microsoft.NetCore.App.Runtime - 6.0.32,8.0.7, System.Formats.Asn1 - 6.0.1,8.0.1
CVE-2019-0820
### Vulnerable Library - system.text.regularexpressions.4.3.0.nupkgProvides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.0/system.text.regularexpressions.4.3.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - markdown.2.2.1.nupkg - :x: **system.text.regularexpressions.4.3.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsA denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. Mend Note: After conducting further research, Mend has determined that CVE-2019-0820 only affects environments with versions 4.3.0 and 4.3.1 only on netcore50 environment of system.text.regularexpressions.nupkg.
Publish Date: 2019-05-16
URL: CVE-2019-0820
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-cmhx-cq75-c4mj
Release Date: 2019-05-16
Fix Resolution: System.Text.RegularExpressions - 4.3.1
CVE-2024-21319
### Vulnerable Libraries - microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg, system.identitymodel.tokens.jwt.6.8.0.nupkg### microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.identitymodel.jsonwebtokens/6.8.0/microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - microsoft.data.sqlclient.3.0.0.nupkg - microsoft.identitymodel.protocols.openidconnect.6.8.0.nupkg - system.identitymodel.tokens.jwt.6.8.0.nupkg - :x: **microsoft.identitymodel.jsonwebtokens.6.8.0.nupkg** (Vulnerable Library) ### system.identitymodel.tokens.jwt.6.8.0.nupkg
Includes types that provide support for creating, serializing and validating JSON Web Tokens.
Library home page: https://api.nuget.org/packages/system.identitymodel.tokens.jwt.6.8.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/system.identitymodel.tokens.jwt/6.8.0/system.identitymodel.tokens.jwt.6.8.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - microsoft.data.sqlclient.3.0.0.nupkg - microsoft.identitymodel.protocols.openidconnect.6.8.0.nupkg - :x: **system.identitymodel.tokens.jwt.6.8.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsMicrosoft Identity Denial of service vulnerability
Publish Date: 2024-01-09
URL: CVE-2024-21319
### CVSS 3 Score Details (6.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-8g9c-28fc-mcx2
Release Date: 2024-01-09
Fix Resolution: System.IdentityModel.Tokens.Jwt - 5.7.0,6.34.0,7.1.2, Microsoft.IdentityModel.JsonWebTokens - 5.7.0,6.34.0,7.1.2
CVE-2024-35255
### Vulnerable Library - azure.identity.1.3.0.nupkgThis is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - microsoft.data.sqlclient.3.0.0.nupkg - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsAzure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Publish Date: 2024-06-11
URL: CVE-2024-35255
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
Release Date: 2024-06-11
Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0
CVE-2024-29992
### Vulnerable Library - azure.identity.1.3.0.nupkgThis is the implementation of the Azure SDK Client Library for Azure Identity
Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg
Path to dependency file: /tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg
Dependency Hierarchy: - umbraco.cms.infrastructure.10.0.0.nupkg (Root Library) - npoco.sqlserver.5.3.2.nupkg - microsoft.data.sqlclient.3.0.0.nupkg - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsAzure Identity Library for .NET Information Disclosure Vulnerability
Publish Date: 2024-04-09
URL: CVE-2024-29992
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-wvxc-855f-jvrv
Release Date: 2024-04-09
Fix Resolution: Azure.Identity - 1.11.0
CVE-2023-49279
### Vulnerable Library - umbraco.cms.infrastructure.10.0.0.nupkgContains the infrastructure assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.infrastructure.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.infrastructure.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Publish Date: 2023-12-12
URL: CVE-2023-49279
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2
Release Date: 2023-12-12
Fix Resolution: UmbracoCMS.Core - 7.15.11,8.18.9, UmbracoCMS.Web - 7.15.11,8.18.9, Umbraco.CMS.Core - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Web.BackOffice - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Infrastructure - 10.7.0,11.5.0,12.2.0