#VU99234 Dangerous file upload in Umbraco CMS
Vulnerability identifier: #VU99234
Vulnerability risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-434
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Umbraco CMS
Web applications /
CMS
Vendor: Umbraco
Description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to the application allows to upload SVG files to the server. A remote user can upload a specially crafted SVG file with an arbitrary JavaScript code inside and execute ti in the victim's browser in the security context of the website once the image is viewed.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Umbraco CMS: 13.0.0 - 13.5.1, 12.0.0 - 12.3.10, 11.0.0 - 11.5.0, 10.1.0 - 10.8.6
External links
http://github.com/umbraco/Umbraco-CMS/releases/tag/release-13.5.2
http://github.com/umbraco/Umbraco-CMS/releases/tag/release-10.8.7
http://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
