CVE-2023-49279

Name of the Vulnerable Software and Affected Versions Umbraco versions 7.0.0 through 7.15.10 Umbraco versions 8.0.0 through 8.18.8 Umbraco versions 10.0.0 through 10.6.9 Umbraco versions 11.0.0 through 11.4.9 Umbraco versions 12.0.0 through 12.1.9

Description Umbraco is an ASP.NET content management system (CMS). A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed.

Recommendations For versions 7.0.0 through 7.15.10, update to version 7.15.11 or later. For versions 8.0.0 through 8.18.8, update to version 8.18.9 or later. For versions 10.0.0 through 10.6.9, update to version 10.7.0 or later. For versions 11.0.0 through 11.4.9, update to version 11.5.0 or later. For versions 12.0.0 through 12.1.9, update to version 12.2.0 or later. As a temporary workaround, consider implementing server-side file validation or serving all media from a different host (e.g., CDN) than where Umbraco is hosted.