CVE-2024-29035 – Umbraco's Blind SSRF Leads to Port Scan by using Webhooks
https://notcve.org/view.php?id=CVE-2024-29035
Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1. Umbraco es un CMS ASP.NET. • https://github.com/umbraco/Umbraco-CMS/commit/6b8067815c02ae43161966a8075a3585e1bc4de0 https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-74p6-39f2-23v3 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-28868 – Umbraco possible user enumeration vulnerability
https://notcve.org/view.php?id=CVE-2024-28868
Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. Umbraco es un sistema de gestión de contenidos ASP.NET. • https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq • CWE-204: Observable Response Discrepancy •
CVE-2023-49279 – Umbraco CMS vulnerable to stored XSS via SVG File Upload
https://notcve.org/view.php?id=CVE-2023-49279
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. • https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-49278 – Umbraco CMS brute force exploit can be used to collect valid usernames
https://notcve.org/view.php?id=CVE-2023-49278
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 8.0.0 y anteriores a las versiones 8.18.10, 10.8.1 y 12.3.4, se puede utilizar un exploit de fuerza bruta para recopilar nombres de usuario válidos. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-49274 – Umbraco CMS SMTP misconfiguration exposes potential registered user email
https://notcve.org/view.php?id=CVE-2023-49274
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 8.0.0 y anteriores a las versiones 8.18.10, 10.8.1 y 12.3.4, es posible un ataque de enumeración de usuarios cuando SMTP no está configurado correctamente, pero el restablecimiento de contraseña está habilitado. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •