CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5810
https://notcve.org/view.php?id=CVE-2020-5810
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload. Se presenta una vulnerabilidad de tipo XSS almacenado en Umbraco CMS versiones anteriores a 8.9.1 o actual. Un usuario autenticado autorizado para cargar multimedia puede cargar un archivo .svg malicioso que actúa como una carga útil de tipo XSS almacenado. • https://www.tenable.com/security/research/tra-2020-59 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2020-5811 – Umbraco CMS 8.9.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2020-5811
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package. Se presenta una vulnerabilidad de salto de ruta autenticada durante la instalación del paquete en Umbraco CMS versiones anteriores a 8.9.1 o actual, lo que podría resultar en la escritura de archivos arbitrarios fuera del inicio del sitio y las rutas esperadas cuando se instala un paquete Umbraco. Umbraco CMS versions 8.9.1 and below suffer from path traversal and arbitrary file write vulnerabilities. • https://www.exploit-db.com/exploits/50241 http://packetstormsecurity.com/files/163965/Umbraco-CMS-8.9.1-Traversal-Arbitrary-File-Write.html https://www.tenable.com/security/research/tra-2020-59 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29454
https://notcve.org/view.php?id=CVE-2020-29454
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access. El archivo Editors/LogViewerController.cs en Umbraco versiones hasta 8.9.1, permite a un usuario visitar un endpoint de logviewer inclusive si carece de acceso a Applications.Settings • https://github.com/umbraco/Umbraco-CMS/pull/9361 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4CVE-2020-7210 – Umbraco CMS 8.2.2 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-7210
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts. Umbraco CMS versión 8.2.2, permite que un ataque de tipo CSRF habilite, deshabilite o elimine cuentas de usuario. Umbraco CMS version 8.2.2 suffers from cross site request forgery vulnerabilities. • http://packetstormsecurity.com/files/156062/Umbraco-CMS-8.2.2-Cross-Site-Request-Forgery.html http://seclists.org/fulldisclosure/2020/Jan/33 https://sec-consult.com/en/blog/advisories/cross-site-request-forgery-csrf-in-umbraco-cms https://sec-consult.com/en/vulnerability-lab/advisories/index.html https://seclists.org/bugtraq/2020/Jan/35 • CWE-352: Cross-Site Request Forgery (CSRF) •