PT-2024-33275 · Umbraco · Umbraco
Bergmania
·
Published
2024-10-22
·
Updated
2024-10-25
·
CVE-2024-48927
CVSS v3.1
4.6
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Umbraco versions 13.x prior to 13.5.2
Umbraco versions 10.x prior to 10.8.7
Umbraco versions 8.x prior to 8.18.15
Description
There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. This issue allows for remote code execution.
Recommendations
For versions 13.x prior to 13.5.2, update to version 13.5.2 to resolve the issue.
For versions 10.x prior to 10.8.7, update to version 10.8.7 to resolve the issue.
For versions 8.x prior to 8.18.15, update to version 8.18.15 to resolve the issue.
As a temporary workaround, consider enabling server-side file validation to strip script tags from a file's content during the file upload process.
Exploit
Fix
RCE
Special Elements Injection
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Umbraco