PT-2023-31048 · Umbraco · Umbraco
Mjalt96
·
Publicado
2023-12-12
·
Atualizado
2023-12-14
·
CVE-2023-49089
CVSS v3.1
7.7
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Umbraco versions 8.0.0 through 8.18.9
Umbraco versions 10.0.0 through 10.8.0
Umbraco versions 12.0.0 through 12.2.9
Description
The issue allows Backoffice users with permissions to create packages to use path traversal, enabling them to write outside of the expected location. This is possible due to a flaw in the "Package" section of Umbraco Backoffice, which permits logged-in users to create folders outside the default package directory.
Recommendations
For Umbraco versions 8.0.0 through 8.18.9, update to version 8.18.10 to resolve the issue.
For Umbraco versions 10.0.0 through 10.8.0, update to version 10.8.1 to resolve the issue.
For Umbraco versions 12.0.0 through 12.2.9, update to version 12.3.0 to resolve the issue.
Exploit
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Umbraco