Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1.
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.
Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkg
Contains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-34071
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1.
Publish Date: 2024-05-21
URL: CVE-2024-34071
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-j74q-mv2c-rxmp
Release Date: 2024-05-21
Fix Resolution: UmbracoCms.Core - 8.18.14, Umbraco.Cms.Core - 10.8.6,12.3.10,13.3.1, Umbraco.Cms.Web.BackOffice - 10.8.6,12.3.10,13.3.1
CVE-2023-49273
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
Publish Date: 2023-12-12
URL: CVE-2023-49273
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-cfr5-7p54-4qg8
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Web - 8.18.10, Umbraco.Cms.Web.BackOffice - 10.8.1,12.3.4
CVE-2023-48227
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.
Publish Date: 2023-12-12
URL: CVE-2023-48227
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Web - 8.18.10, Umbraco.Cms.Web.BackOffice - 10.8.0,12.3.0, UmbracoCms.Core - 8.18.10, Umbraco.Cms.Core - 10.8.0,12.3.0
CVE-2023-49279
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Publish Date: 2023-12-12
URL: CVE-2023-49279
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2
Release Date: 2023-12-12
Fix Resolution: UmbracoCMS.Core - 7.15.11,8.18.9, UmbracoCMS.Web - 7.15.11,8.18.9, Umbraco.CMS.Core - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Web.BackOffice - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Infrastructure - 10.7.0,11.5.0,12.2.0
CVE-2023-49274
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
Publish Date: 2023-12-12
URL: CVE-2023-49274
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Web - 8.18.10, Umbraco.Cms.Web.BackOffice - 10.8.1,12.3.4
CVE-2023-38694
### Vulnerable Library - umbraco.cms.web.backoffice.10.0.0.nupkgContains the Back Office assembly needed to run the back office of Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.web.backoffice.10.0.0.nupkg
Dependency Hierarchy: - :x: **umbraco.cms.web.backoffice.10.0.0.nupkg** (Vulnerable Library)
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.
Publish Date: 2023-12-12
URL: CVE-2023-38694
### CVSS 3 Score Details (3.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-xxc6-35r7-796w
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Web - 8.18.10, Umbraco.Cms.Web.BackOffice - 10.7.0,12.1.0