CVE-2023-49279

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-49279
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49279.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49279
Aliases
Published
2023-12-12T19:35:05.931Z
Modified
2026-04-10T05:05:01.857492Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Umbraco CMS vulnerable to stored XSS via SVG File Upload
Details

Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49279.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/umbraco/umbraco-cms

Affected ranges

Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
f916a6bc18d2dfe6efafaa2b9d040f40b8c61a31
Fixed
bd60f4e2cea7ace2984dcfb8e61ef6512ea77c73
Database specific 
{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.15.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
b8db430615d76521a4394a23f9928dc7c12f87bd
Fixed
dac9986ed28b798400ced60d1b055771f6b973e1
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.18.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
4f06c1f33a54daf4752a439778626202960db68c
Fixed
fd043f6ecf7b45aea1ec4dfdf2097c5673b0bff5
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.0-rc001"
        },
        {
            "fixed": "10.7.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
38712dce16aa9412af3d81d4884bfc6e5533e019
Fixed
147b46440fa5ba399838ff2f8aaf115518e7ad41
Database specific 
{
    "versions": [
        {
            "introduced": "11.0.0-rc1"
        },
        {
            "fixed": "11.5.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
a4202f352aabbf230b300fad389c8ebefe4c2b6c
Fixed
173d8dcf47fcd18584b80190db14144a363cbdd5
Database specific 
{
    "versions": [
        {
            "introduced": "12.0.0-rc1"
        },
        {
            "fixed": "12.2.0"
        }
    ]
}

Affected versions

release-7.*
release-7.0.0
release-7.1.0
release-7.1.0-RC
release-7.1.1
release-7.1.2
release-7.1.3
release-7.1.4
release-7.10.0
release-7.11.0
release-7.12.0
release-7.12.1
release-7.13.0
release-7.14.0
release-7.15.0
release-7.15.1
release-7.15.10
release-7.15.2
release-7.15.3
release-7.15.5
release-7.15.6
release-7.15.7
release-7.15.8
release-7.15.9
release-7.2.0-alpha
release-7.2.0-beta
release-7.2.0-beta2
release-7.4.0
release-7.4.0-RC1
release-7.4.0-beta2
release-7.4.1
release-7.4.2
release-7.4.3
release-7.5.0
release-7.5.0-beta
release-7.5.0-beta2
release-7.5.1
release-7.5.10
release-7.5.11
release-7.5.12
release-7.5.13
release-7.5.14
release-7.5.3
release-7.5.5
release-7.5.8
release-7.5.9
release-7.6.2
release-7.6.3
release-7.6.7
release-7.6.8
release-7.7.10
release-7.7.11
release-7.7.12
release-7.7.13
release-7.7.2
release-7.7.4
release-7.7.5
release-7.7.6
release-7.7.7
release-7.7.8
release-7.7.9
release-7.9.1
release-7.9.2
release-7.9.3
release/7.*
release/7.15.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49279.json"