Filtered by vendor Umbraco
Subscriptions
Total
43 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-5811 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 6.5 Medium |
| An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package. | ||||
| CVE-2020-5810 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 5.4 Medium |
| A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload. | ||||
| CVE-2020-5809 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 5.4 Medium |
| A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS. | ||||
| CVE-2020-29454 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 4.3 Medium |
| Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access. | ||||
| CVE-2019-25137 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 7.2 High |
| Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | ||||
| CVE-2019-13957 | 1 Umbraco | 1 Umbraco | 2024-11-21 | 9.8 Critical |
| In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter. | ||||
| CVE-2018-17256 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A |
| Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content. | ||||
| CVE-2017-15280 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A |
| XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs. | ||||
| CVE-2017-15279 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs. | ||||
| CVE-2015-8815 | 1 Umbraco | 1 Umbraco | 2024-11-21 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script or HTML via the name parameter to (1) the media page, (2) the developer data edit page, or (3) the form page. | ||||
| CVE-2015-8814 | 1 Umbraco | 1 Umbraco | 2024-11-21 | N/A |
| Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file. | ||||
| CVE-2015-8813 | 1 Umbraco | 1 Umbraco | 2024-11-21 | N/A |
| The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter. | ||||
| CVE-2014-10074 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A |
| Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. | ||||
| CVE-2013-4793 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A |
| The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request. | ||||
| CVE-2012-1301 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 9.8 Critical |
| The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter. | ||||
| CVE-2024-10761 | 1 Umbraco | 1 Umbraco Cms | 2024-11-13 | 3.5 Low |
| A vulnerability was found in Umbraco CMS 12.3.6. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor is not able to reproduce the issue. | ||||
| CVE-2024-48926 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | 4.2 Medium |
| Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. | ||||
| CVE-2024-48927 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | 4.6 Medium |
| Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process. | ||||
| CVE-2024-48929 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | 4.2 Medium |
| Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue. | ||||
| CVE-2024-47819 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | 4.2 Medium |
| Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users. | ||||