CVE-2024-48927 MEDIUM

CVE-2024-48927: Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice

Vendor Umbraco
Product Umbraco-CMS
Weakness CWE-74
Published October 22, 2024
Last update October 22, 2024

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process.

Key dates

02Disclosure timeline

October 22, 2024 CVE published
October 22, 2024 Record updated