Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Umbraco_cms
(Umbraco)| Repositories |
• https://github.com/umbraco/Umbraco-CMS
• https://github.com/Umbraco/Umbraco-CMS |
| #Vulnerabilities | 40 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2025-01-21 | CVE-2025-24011 | Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | Umbraco_cms | 5.3 | ||
| 2025-01-21 | CVE-2025-24012 | Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch. | Umbraco_cms | 5.4 | ||
| 2024-03-20 | CVE-2024-28868 | Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. | Umbraco_cms | 5.3 | ||
| 2024-04-17 | CVE-2024-29035 | Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1. | Umbraco_cms | 5.3 | ||
| 2024-05-21 | CVE-2024-34071 | Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1. | Umbraco_cms | 6.1 | ||
| 2024-05-21 | CVE-2024-35218 | Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer. | Umbraco_cms | 4.8 | ||
| 2023-05-18 | CVE-2019-25137 | Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | Umbraco_cms | 7.2 | ||
| 2024-11-04 | CVE-2024-10761 | A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is... | Umbraco_cms | 4.3 | ||
| 2020-01-23 | CVE-2020-7210 | Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. | Umbraco_cms | 4.3 | ||
| 2020-03-16 | CVE-2020-9471 | Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality. | Umbraco_cms | 8.8 |