CVE-2023-49279
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-49279
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49279.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-49279
- Aliases
- Published
- 2023-12-12T20:15:08Z
- Modified
- 2024-06-06T14:26:10.767744Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
- References
Affected packages
Git / github.com/umbraco/umbraco-cms
Affected versions
7.*
7.3.0-beta
7.6-alpha071
7.6-beta5
Other
alpha070
temp8-cg18
dev-7.*
dev-7.6-RC1
dev-7.6-RC2
dev-7.6-RC3
dev-7.6-alpha-073
dev-7.6-alpha054
dev-7.6-alpha055
dev-7.6-alpha056
dev-7.6-alpha060
dev-7.6-alpha061
dev-7.6-alpha063
dev-7.6-alpha064
dev-7.6-alpha072
dev-7.6-alpha073
dev-7.6-alpha074
dev-7.6-alpha075
dev-7.6-beta02
dev-7.6-beta03
dev-7.6-beta04
dev-7.6-beta06
dev-v7.*
dev-v7.6-alpha065
dev-v7.6-alpha066
dev-v7.6-alpha068
dev-v7.7-beta002
release-6.*
release-6.2.0
release-6.2.0-beta
release-6.2.1
release-6.2.2
release-6.2.3
release-7.*
release-7.0.0
release-7.0.1
release-7.0.2
release-7.0.3
release-7.0.4
release-7.1.0
release-7.1.0-RC
release-7.1.0-beta
release-7.1.1
release-7.1.2
release-7.1.3
release-7.1.4
release-7.1.5
release-7.1.6
release-7.1.7
release-7.1.8
release-7.10.0
release-7.10.1
release-7.10.2
release-7.10.3
release-7.10.4
release-7.11.0
release-7.12.0
release-7.12.1
release-7.13.0
release-7.13.1
release-7.13.2
release-7.14.0
release-7.15.0
release-7.15.1
release-7.15.10
release-7.15.2
release-7.15.3
release-7.15.4
release-7.15.5
release-7.15.6
release-7.15.7
release-7.15.8
release-7.15.9
release-7.2.0
release-7.2.0-RC
release-7.2.0-alpha
release-7.2.0-beta
release-7.2.0-beta2
release-7.2.1
release-7.2.2
release-7.2.3
release-7.2.4
release-7.2.5
release-7.2.5-RC
release-7.2.6
release-7.2.7
release-7.2.8
release-7.3.0
release-7.3.0-RC
release-7.3.0-beta
release-7.3.0-beta2
release-7.3.0-beta3
release-7.3.1
release-7.3.2
release-7.3.3
release-7.3.4
release-7.3.5
release-7.3.6
release-7.3.7
release-7.3.8
release-7.4.0
release-7.4.0-RC1
release-7.4.0-beta2
release-7.4.1
release-7.4.2
release-7.4.3
release-7.5.0
release-7.5.0-beta
release-7.5.0-beta2
release-7.5.1
release-7.5.10
release-7.5.11
release-7.5.12
release-7.5.13
release-7.5.14
release-7.5.2
release-7.5.3
release-7.5.4
release-7.5.5
release-7.5.6
release-7.5.7
release-7.5.8
release-7.5.9
release-7.6.0
release-7.6.0-RC
release-7.6.0-beta
release-7.6.1
release-7.6.2
release-7.6.3
release-7.6.4
release-7.6.5
release-7.6.6
release-7.6.7
release-7.6.8
release-7.7.0
release-7.7.0-beta
release-7.7.1
release-7.7.10
release-7.7.11
release-7.7.12
release-7.7.13
release-7.7.2
release-7.7.3
release-7.7.4
release-7.7.5
release-7.7.6
release-7.7.7
release-7.7.8
release-7.7.9
release-7.8.0
release-7.8.0-beta
release-7.8.0-beta003
release-7.8.0-beta004
release-7.8.0-beta005
release-7.8.0-beta007
release-7.8.1
release-7.8.2
release-7.8.3
release-7.9.0
release-7.9.1
release-7.9.2
release-7.9.3
release-7.9.4
release-7.9.5
release-7.9.6
release/7.*
release/7.15.2