CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27602 – Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
https://notcve.org/view.php?id=CVE-2025-27602
11 Mar 2025 — Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available. • https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 4.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48929 – Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out
https://notcve.org/view.php?id=CVE-2024-48929
22 Oct 2024 — Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wxw9-6pv9-c3xc • CWE-384: Session Fixation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48927 – Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
https://notcve.org/view.php?id=CVE-2024-48927
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-5955-cwv4-h7qh • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-48926 – Umbraco CMS logout page displayed before session expiration
https://notcve.org/view.php?id=CVE-2024-48926
22 Oct 2024 — Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm • CWE-613: Insufficient Session Expiration •
CVSS: 4.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35218 – Umbraco CMS Vulnerable to Stored XSS on Content Page Through Markdown Editor Preview Pane
https://notcve.org/view.php?id=CVE-2024-35218
21 May 2024 — Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer. Umbraco CMS es un CMS ASP.NET utilizado por más de 730.000 sitios web. El Cross Site Scripting (XSS) Almacenado permite a los atacantes que tienen acceso al backoffice introducir contenido mal... • https://github.com/umbraco/Umbraco-CMS/commit/1b712fe6ec52aa4e71b3acf63e393c8e6ab85385 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-34071 – Open Redirect Bypass Protection
https://notcve.org/view.php?id=CVE-2024-34071
21 May 2024 — Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1. Umbraco es un CMS ASP.NET utilizado por más de 730.000 sitios web. • https://github.com/umbraco/Umbraco-CMS/commit/5f24de308584b9771240a6db1a34630a5114c450 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •