Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Umbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. An attacker is able to predict generated passwords and use them to log in to newly-created accounts.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2024-34071
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkg
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-48227
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkg
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-35218
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkg
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-49279
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkg
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Contains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0255
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkgContains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Dependency Hierarchy: - :x: **umbraco.cms.core.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco has a GeneratePassword function that is used to generate passwords that should be unpredictable, this function uses the .NET Random class which isn't cryptographically secure. An attacker is able to predict generated passwords and use them to log in to newly-created accounts.
Publish Date: 2022-03-29
URL: WS-2022-0255
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2024-34071
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkgContains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Dependency Hierarchy: - :x: **umbraco.cms.core.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1.
Publish Date: 2024-05-21
URL: CVE-2024-34071
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-j74q-mv2c-rxmp
Release Date: 2024-05-21
Fix Resolution: UmbracoCms.Core - 8.18.14, Umbraco.Cms.Core - 10.8.6,12.3.10,13.3.1, Umbraco.Cms.Web.BackOffice - 10.8.6,12.3.10,13.3.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-48227
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkgContains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Dependency Hierarchy: - :x: **umbraco.cms.core.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.
Publish Date: 2023-12-12
URL: CVE-2023-48227
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2
Release Date: 2023-12-12
Fix Resolution: UmbracoCms.Web - 8.18.10, Umbraco.Cms.Web.BackOffice - 10.8.0,12.3.0, UmbracoCms.Core - 8.18.10, Umbraco.Cms.Core - 10.8.0,12.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-35218
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkgContains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Dependency Hierarchy: - :x: **umbraco.cms.core.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
Publish Date: 2024-05-21
URL: CVE-2024-35218
### CVSS 3 Score Details (4.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-gvpc-3pj6-4m9w
Release Date: 2024-05-21
Fix Resolution: UmbracoCms.Core - 8.18.13, Umbraco.Cms.Core - 10.8.4,12.3.7,13.1.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-49279
### Vulnerable Library - umbraco.cms.core.10.0.0.nupkgContains the core assembly needed to run Umbraco Cms. This package only contains the assembly, and can be used for package development. Use the template in the Umbraco.Templates package to setup Umbraco
Library home page: https://api.nuget.org/packages/umbraco.cms.core.10.0.0.nupkg
Path to dependency file: /src/Umbraco.Cms/Umbraco.Cms.csproj
Path to vulnerable library: /src/Umbraco.Cms/Umbraco.Cms.csproj,/src/Umbraco.Examine.Lucene/Umbraco.Examine.Lucene.csproj,/src/Umbraco.Web.Common/Umbraco.Web.Common.csproj,/src/Umbraco.New.Cms.Web.Common/Umbraco.New.Cms.Web.Common.csproj,/src/Umbraco.New.Cms.Core/Umbraco.New.Cms.Core.csproj,/tests/Umbraco.Tests.Benchmarks/Umbraco.Tests.Benchmarks.csproj,/tests/Umbraco.Tests.Common/Umbraco.Tests.Common.csproj,/src/Umbraco.Infrastructure/Umbraco.Infrastructure.csproj,/src/Umbraco.New.Cms.Infrastructure/Umbraco.New.Cms.Infrastructure.csproj,/legacy/Umbraco.Tests/Umbraco.Tests.csproj,/tests/Umbraco.Tests.Integration/Umbraco.Tests.Integration.csproj,/tests/Umbraco.TestData/Umbraco.TestData.csproj,/src/Umbraco.Web.BackOffice/Umbraco.Web.BackOffice.csproj,/src/Umbraco.PublishedCache.NuCache/Umbraco.PublishedCache.NuCache.csproj,/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj,/src/Umbraco.Cms.Persistence.Sqlite/Umbraco.Cms.Persistence.Sqlite.csproj,/tests/Umbraco.Tests.UnitTests/Umbraco.Tests.UnitTests.csproj,/src/Umbraco.Web.Website/Umbraco.Web.Website.csproj,/src/Umbraco.Cms.Persistence.SqlServer/Umbraco.Cms.Persistence.SqlServer.csproj,/src/Umbraco.Cms.StaticAssets/Umbraco.Cms.StaticAssets.csproj,/src/JsonSchema/JsonSchema.csproj,/src/Umbraco.Cms.ManagementApi/Umbraco.Cms.ManagementApi.csproj
Dependency Hierarchy: - :x: **umbraco.cms.core.10.0.0.nupkg** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsUmbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
Publish Date: 2023-12-12
URL: CVE-2023-49279
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2
Release Date: 2023-12-12
Fix Resolution: UmbracoCMS.Core - 7.15.11,8.18.9, UmbracoCMS.Web - 7.15.11,8.18.9, Umbraco.CMS.Core - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Web.BackOffice - 10.7.0,11.5.0,12.2.0, Umbraco.Cms.Infrastructure - 10.7.0,11.5.0,12.2.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.