CVE-2023-49279

Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.

Published: Dec 12, 2023
Updated: May 10, 2024
CVE: CVE-2023-49279
GHSA: GHSA-6xmx-85x3-4cv2
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
Umbraco.CMS	7.0.0	7.15.11
Umbraco.CMS	8.0.0	8.18.9
Umbraco.CMS	9.0.0	10.7.0
Umbraco.CMS	11.0.0	11.5.0
Umbraco.CMS	12.0.0	12.2.0
umbraco / umbraco_cms	12.0.0	12.2.0
umbraco / umbraco_cms	11.0.0	11.5.0
umbraco / umbraco_cms	10.0.0	10.7.0
umbraco / umbraco_cms	8.0.0	8.18.9
umbraco / umbraco_cms	7.0.0	7.15.11

Vulnerability Database

289,697

CVE-2023-49279