CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-49089 – Umbraco CMS possible path traversal when creating packages from backoffice
https://notcve.org/view.php?id=CVE-2023-49089
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 8.0.0 y anteriores a las versiones 8.18.10, 10.8.1 y 12.3.0, los usuarios de Backoffice con permisos para crear paquetes pueden utilizar el path traversal y, por lo tanto, escribir fuera de la ubicación esperada. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6324-52pr-h4p5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48313 – Umbraco contains a DOM-XSS
https://notcve.org/view.php?id=CVE-2023-48313
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 10.0.0 y antes de las versiones 10.8.1 y 12.3.4, Umbraco contiene una vulnerabilidad de Cross-Site Scripting (XSS) que permite a los atacantes introducir contenido malicioso en un sitio web o aplicación. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-v98m-398x-269r • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48227 – Umbraco CMS Backoffice User can bypass "Publish" restriction
https://notcve.org/view.php?id=CVE-2023-48227
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2 • CWE-863: Incorrect Authorization •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-38694 – Umbraco CMS vulnerable to possible injection of HTML in an unintended form
https://notcve.org/view.php?id=CVE-2023-38694
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue. Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 8.0.0 y antes de las versiones 8.18.10, 10.7.0 y 12.1.0, un usuario con acceso a una parte específica del backoffice puede inyectar código HTML en un formulario donde no está previsto. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-xxc6-35r7-796w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37267 – Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions
https://notcve.org/view.php?id=CVE-2023-37267
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1. • https://github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f3428833892cde5c6d8441fb041e410e https://github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d7b91d263e4e103ef19f3644e7b569 https://github.com/umbraco/Umbraco-CMS/commit/82eae48d098b9deecbdf86cf288b2b18020e1fed https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7m • CWE-284: Improper Access Control •