Vulnerability Database
296,746
Total vulnerabilities in the database
CVE-2023-49279
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
| Software | From | Fixed in |
|---|---|---|
Umbraco.CMS
|
7.0.0 | 7.15.11 |
|
Umbraco.CMS
|
8.0.0 | 8.18.9 |
|
Umbraco.CMS
|
9.0.0 | 10.7.0 |
|
Umbraco.CMS
|
11.0.0 | 11.5.0 |
|
Umbraco.CMS
|
12.0.0 | 12.2.0 |
| umbraco / umbraco_cms | 12.0.0 | 12.2.0 |
| umbraco / umbraco_cms | 11.0.0 | 11.5.0 |
| umbraco / umbraco_cms | 10.0.0 | 10.7.0 |
| umbraco / umbraco_cms | 8.0.0 | 8.18.9 |
| umbraco / umbraco_cms | 7.0.0 | 7.15.11 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime