Total
40 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24012 | 1 Umbraco | 1 Umbraco Cms | 2025-02-20 | N/A | 5.4 MEDIUM |
| Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch. | |||||
| CVE-2025-24011 | 1 Umbraco | 1 Umbraco Cms | 2025-02-20 | N/A | 5.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | |||||
| CVE-2024-35218 | 1 Umbraco | 1 Umbraco Cms | 2025-02-12 | N/A | 4.8 MEDIUM |
| Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer. | |||||
| CVE-2024-34071 | 1 Umbraco | 1 Umbraco Cms | 2025-02-12 | N/A | 6.1 MEDIUM |
| Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1. | |||||
| CVE-2024-29035 | 1 Umbraco | 1 Umbraco Cms | 2025-02-12 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1. | |||||
| CVE-2024-28868 | 1 Umbraco | 1 Umbraco Cms | 2025-02-12 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. | |||||
| CVE-2019-25137 | 1 Umbraco | 1 Umbraco Cms | 2025-01-22 | N/A | 7.2 HIGH |
| Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | |||||
| CVE-2024-10761 | 1 Umbraco | 1 Umbraco Cms | 2025-01-22 | N/A | 4.3 MEDIUM |
| A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-48926 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 3.1 LOW |
| Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. | |||||
| CVE-2024-48927 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 4.6 MEDIUM |
| Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process. | |||||
| CVE-2024-48929 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 4.2 MEDIUM |
| Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue. | |||||
| CVE-2024-47819 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 8.7 HIGH |
| Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users. | |||||
| CVE-2024-48925 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 6.5 MEDIUM |
| Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. | |||||
| CVE-2024-43377 | 1 Umbraco | 1 Umbraco Cms | 2024-08-26 | N/A | 4.3 MEDIUM |
| Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2. | |||||
| CVE-2024-43376 | 1 Umbraco | 1 Umbraco Cms | 2024-08-26 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2. | |||||
| CVE-2023-38694 | 1 Umbraco | 1 Umbraco Cms | 2023-12-18 | N/A | 5.4 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue. | |||||
| CVE-2023-49279 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.4 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted. | |||||
| CVE-2023-49278 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | |||||
| CVE-2023-49273 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.4 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | |||||
| CVE-2023-48227 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 4.3 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available. | |||||