CVE-2024-48927
EUVD-2024-294722.10.2024, 16:15
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| umbraco | umbraco_cms | 8.0 ≤ 𝑥 < 8.18.15 |
| umbraco | umbraco_cms | 10.0 ≤ 𝑥 < 10.8.7 |
| umbraco | umbraco_cms | 13.0 ≤ 𝑥 < 13.5.2 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| umbraco | umbraco_cms | 13.0.0 ≤ 𝑥 ≤ 13.5.2 | ADP |
| umbraco | umbraco_cms | 10.0.0 ≤ 𝑥 ≤ 10.8.7 | ADP |
| umbraco | umbraco_cms | 8.0.0 ≤ 𝑥 ≤ 8.18.15 | ADP |
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.