CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48926 – Umbraco CMS logout page displayed before session expiration
https://notcve.org/view.php?id=CVE-2024-48926
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48925 – Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API
https://notcve.org/view.php?id=CVE-2024-48925
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4gp9-ff99-j6vj • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47819 – Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
https://notcve.org/view.php?id=CVE-2024-47819
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is o... • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43377 – Umbraco CMS Improper Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43377
20 Aug 2024 — Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2. • https://github.com/umbraco/Umbraco-CMS/commit/72bef8861d94a39d5cc9530a04c4797b91fcbecf • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43376 – Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2024-43376
20 Aug 2024 — Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2. • https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35218 – Umbraco CMS Vulnerable to Stored XSS on Content Page Through Markdown Editor Preview Pane
https://notcve.org/view.php?id=CVE-2024-35218
21 May 2024 — Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer. Umbraco CMS es un CMS ASP.NET utilizado por más de 730.000 sitios web. El Cross Site Scripting (XSS) Almacenado permite a los atacantes que tienen acceso al backoffice introducir contenido mal... • https://github.com/umbraco/Umbraco-CMS/commit/1b712fe6ec52aa4e71b3acf63e393c8e6ab85385 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-34071 – Open Redirect Bypass Protection
https://notcve.org/view.php?id=CVE-2024-34071
21 May 2024 — Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1. Umbraco es un CMS ASP.NET utilizado por más de 730.000 sitios web. • https://github.com/umbraco/Umbraco-CMS/commit/5f24de308584b9771240a6db1a34630a5114c450 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29035 – Umbraco's Blind SSRF Leads to Port Scan by using Webhooks
https://notcve.org/view.php?id=CVE-2024-29035
17 Apr 2024 — Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1. Umbraco es un CMS ASP.NET. • https://github.com/umbraco/Umbraco-CMS/commit/6b8067815c02ae43161966a8075a3585e1bc4de0 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28868 – Umbraco possible user enumeration vulnerability
https://notcve.org/view.php?id=CVE-2024-28868
20 Mar 2024 — Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. Umbraco es un sistema de gestión de contenidos ASP.NET. • https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d • CWE-204: Observable Response Discrepancy •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-49279 – Umbraco CMS vulnerable to stored XSS via SVG File Upload
https://notcve.org/view.php?id=CVE-2023-49279
12 Dec 2023 — Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. • https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •