CVE-2025-48953

Опубликовано: 03 июн. 2025

Источник: nvd

CVSS3: 5.5

CVSS3: 6.5

EPSS Низкий

Описание

Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.

Ссылки

https://github.com/umbraco/Umbraco-CMS/commit/d920e93d1ee29dc3301697e444f53e8cd5db3cf9
Patch
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fr6r-p8hv-x3c4
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*

Версия от 14.0.0 (включая) до 15.4.2 (исключая)

EPSS

Процентиль: 13%

0.00043

Низкий

5.5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-fr6r-p8hv-x3c4

CVSS3: 5.5

github

8 месяцев назад

Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

EPSS

Процентиль: 13%

0.00043

Низкий

5.5 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-434