CVE-2023-49089

Summary

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
umbracoUmbraco-CMS>= 8.0.0, < 8.18.10affected
umbracoUmbraco-CMS>= 9.0.0-rc001, < 10.8.1affected
umbracoUmbraco-CMS>= 11.0.0-rc1, < 12.3.4affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

References