5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.3%
A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed.
Implement the server side file validation
https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation
or
Serve all media from an different host (e.g cdn) that where umbraco is hosted
CPE | Name | Operator | Version |
---|---|---|---|
umbraco.cms | lt | 12.2.0 | |
umbraco.cms | lt | 11.5.0 | |
umbraco.cms | ge | 9.0.0 | |
umbraco.cms | lt | 10.7.0 | |
umbraco.cms | lt | 8.18.9 | |
umbraco.cms | lt | 7.15.11 |
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.3%