Lucene search

GoogleOSV:GHSA-6XMX-85X3-4CV2

HistoryDec 13, 2023 - 1:30 p.m.

Stored XSS via SVG File Upload

2023-12-1313:30:53

Google

osv.dev

xss

svg

file upload

server-side validation

backoffice

media host

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.3%

JSON

Impact

A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed.

Workaround

Implement the server side file validation
https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation

Serve all media from an different host (e.g cdn) that where umbraco is hosted

CPENameOperatorVersion
umbraco.cmseq12.1.0-rc
umbraco.cmseq9.5.0-rc
umbraco.cmseq11.1.0-rc
umbraco.cmseq9.1.0-rc
umbraco.cmseq9.4.2
umbraco.cmseq10.5.0-rc
umbraco.cmseq10.0.1
umbraco.cmseq10.5.0
umbraco.cmseq10.2.0
umbraco.cmseq11.3.1

Name	Operator	Version
umbraco.cms	eq	12.1.0-rc
umbraco.cms	eq	9.5.0-rc
umbraco.cms	eq	11.1.0-rc
umbraco.cms	eq	9.1.0-rc
umbraco.cms	eq	9.4.2
umbraco.cms	eq	10.5.0-rc
umbraco.cms	eq	10.0.1
umbraco.cms	eq	10.5.0
umbraco.cms	eq	10.2.0
umbraco.cms	eq	11.3.1

Rows per page:

1-10 of 751

References

docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation

github.com/umbraco/Umbraco-CMS

github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2

nvd.nist.gov/vuln/detail/CVE-2023-49279