Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Umbraco_cms
(Umbraco)| Repositories |
• https://github.com/umbraco/Umbraco-CMS
• https://github.com/Umbraco/Umbraco-CMS |
| #Vulnerabilities | 40 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-05-21 | CVE-2024-34071 | Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1. | Umbraco_cms | 6.1 | ||
| 2024-05-21 | CVE-2024-35218 | Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer. | Umbraco_cms | 4.8 | ||
| 2023-05-18 | CVE-2019-25137 | Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | Umbraco_cms | 7.2 | ||
| 2024-11-04 | CVE-2024-10761 | A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is... | Umbraco_cms | 4.3 | ||
| 2020-01-23 | CVE-2020-7210 | Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. | Umbraco_cms | 4.3 | ||
| 2020-03-16 | CVE-2020-9471 | Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality. | Umbraco_cms | 8.8 | ||
| 2020-03-16 | CVE-2020-9472 | Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality. | Umbraco_cms | 6.5 | ||
| 2020-12-02 | CVE-2020-29454 | Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access. | Umbraco_cms | 4.3 | ||
| 2020-12-30 | CVE-2020-5809 | A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS. | Umbraco_cms | 5.4 | ||
| 2020-12-30 | CVE-2020-5810 | A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload. | Umbraco_cms | 5.4 |