Umbraco Cms
CVE-2017-15280
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
AnalysisAI
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs. Affected products include: Umbraco Umbraco Cms. Version information: before 7.7.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
More in Umbraco Cms
View allUmbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx
Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. Rated medium severity (CVSS 6.9), thi
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scrip
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, whi
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package f
The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" param
Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file
Umbraco is a ASP.NET CMS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authenticat
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili
A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl par
Share
External POC / Exploit Code
Leaving vuln.today