GHSA-54mj-vcvj-q3v5

Опубликовано: 22 дек. 2025

Источник: github

Github: Прошло ревью

CVSS4: 5.8

CVSS3: 10

Описание

Umbraco CMS has an arbitrary file upload vulnerability

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides hooks to perform file validation, it does not do implement filtering by default. Users are expected to implement their own validation.

Note: This vulnerability is disputed by Ubraco.

Ссылки

Пакеты

Наименование

Umbraco.Cms

nuget

Затронутые версииВерсия исправления

<= 16.3.3

Отсутствует

EPSS

Процентиль: 28%

0.001

Низкий

5.8 Medium

CVSS4

10 Critical

CVSS3

CVE ID

CVE-2025-67288

Дефекты

CWE-434

CWE-79

Связанные уязвимости

CVE-2025-67288

CVSS3: 10

nvd

около 2 месяцев назад

An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by uploading a crafted PDF file. NOTE: this is disputed by the Supplier because the responsibility for file validation (as shown in the documentation) belongs to the system administrator who is implementing Umbraco CMS in their environment, not to Umbraco CMS itself, a related issue to CVE-2023-49279.

EPSS

Процентиль: 28%

0.001

Низкий

5.8 Medium

CVSS4

10 Critical

CVSS3

CVE ID

CVE-2025-67288

Дефекты

CWE-434

CWE-79