CVE-2023-49089

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.

Published: Dec 12, 2023
Updated: May 10, 2024
CVE: CVE-2023-49089
GHSA: GHSA-6324-52pr-h4p5
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
Umbraco.CMS	8.0.0	8.18.10
Umbraco.CMS	9.0.0	10.8.1
Umbraco.CMS	11.0.0	12.3.4
umbraco / umbraco_cms	10.0.0	10.8.1
umbraco / umbraco_cms	12.0.0	12.3.0
umbraco / umbraco_cms	8.0.0	8.18.10

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6324-52pr-h4p5

Vulnerability Database

289,697

CVE-2023-49089