CVE-2024-48927

Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process.

Published: Oct 22, 2024
Updated: May 4, 2025
CVE: CVE-2024-48927
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.6
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
umbraco / umbraco_cms	8.0	8.18.15
umbraco / umbraco_cms	10.0	10.8.7
umbraco / umbraco_cms	13.0	13.5.2

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh

Vulnerability Database

289,697

CVE-2024-48927