Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from files content during the file upload process.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Umbraco_cms | Umbraco | 8.0 (including) | 8.18.15 (excluding) |
| Umbraco_cms | Umbraco | 10.0 (including) | 10.8.7 (excluding) |
| Umbraco_cms | Umbraco | 13.0 (including) | 13.5.2 (excluding) |