GHSA-5955-cwv4-h7qh

Suggest an improvement
Source
https://github.com/advisories/GHSA-5955-cwv4-h7qh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-5955-cwv4-h7qh/GHSA-5955-cwv4-h7qh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5955-cwv4-h7qh
Aliases
Published
2024-10-22T18:12:38Z
Modified
2024-10-22T19:33:43.446221Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
Details

Impact

There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode.

Workarounds

Server-side file validation is available to strip script tags from file's content during the file upload process.

References

Affected packages

NuGet / UmbracoCms

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.18.15

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.2.0-rc
8.2.0
8.2.1
8.2.2
8.2.3
8.3.0
8.3.1
8.4.0-rc
8.4.0
8.4.1
8.4.2
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.6.0-rc
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.7.0-rc
8.7.0
8.7.1
8.7.2
8.7.3
8.8.0-rc
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.9.0-rc
8.9.0
8.9.1
8.9.2
8.9.3
8.10.0-rc
8.10.0
8.10.1
8.10.2
8.10.3
8.11.0-rc
8.11.0
8.11.1
8.11.2
8.11.3
8.12.0-rc
8.12.0
8.12.1
8.12.2
8.12.3
8.13.0-rc
8.13.0
8.13.1
8.14.0-rc
8.14.0
8.14.1
8.14.2
8.14.3
8.14.4
8.15.0-rc
8.15.0
8.15.1
8.15.2
8.15.3
8.16.0-rc
8.16.0
8.17.0-rc
8.17.0-rc2
8.17.0
8.17.1
8.17.2
8.18.0-rc
8.18.0-rc2
8.18.0
8.18.1
8.18.2
8.18.3
8.18.4
8.18.5
8.18.6
8.18.7
8.18.8
8.18.9
8.18.10
8.18.11
8.18.12
8.18.13
8.18.14

NuGet / Umbraco.Cms

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.8.7

Affected versions

10.*

10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
10.8.0
10.8.1
10.8.2
10.8.3
10.8.4
10.8.5
10.8.6

NuGet / Umbraco.Cms

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.0
Fixed
13.5.2

Affected versions

13.*

13.0.0
13.0.1
13.0.2
13.0.3
13.1.0-rc
13.1.0
13.1.1
13.2.0-rc
13.2.0
13.2.1
13.2.2
13.3.0-rc
13.3.0
13.3.1
13.3.2
13.4.0-rc
13.4.0-rc2
13.4.0
13.4.1
13.5.0-rc
13.5.0
13.5.1