CVE-2024-48927

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 4.6EPSS 0.04%Medium
CVE info copied to clipboard

Summary

Umbraco, a free and open source .NET content management system, has a remote code execution vulnerability affecting versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The issue arises when Backoffice users "preview" SVG files in full screen mode, potentially allowing code execution.

Impact

This vulnerability could allow an attacker to execute arbitrary code on the affected Umbraco installations. While the attack requires user interaction (previewing an SVG file in full screen mode) and low-level privileges, it could lead to unauthorized access to sensitive information or further system compromise. The CVSS v3.1 base score is 4.6, indicating a medium severity with low confidentiality and integrity impact, but no availability impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. Umbraco has released fixed versions: 13.5.2, 10.8.7, and 8.18.15. Users should upgrade to these patched versions to mitigate the vulnerability.

Mitigation

1. Upgrade Umbraco to the patched versions: 13.5.2, 10.8.7, or 8.18.15, depending on your current branch. 2. If immediate patching is not possible, implement the provided workaround: Use server-side file validation to strip script tags from file content during the file upload process. 3. Educate Backoffice users about the risks of previewing SVG files in full screen mode until the patch is applied. 4. Consider restricting SVG file uploads or previews if feasible in your environment.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001319)

Oct 22, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 22, 2024 at 8:03 AM
CVE Assignment

NVD published the first details for CVE-2024-48927

Oct 22, 2024 at 4:15 PM
CVSS

A CVSS base score of 4.6 has been assigned.

Oct 22, 2024 at 4:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48927. See article

Oct 22, 2024 at 4:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 22, 2024 at 4:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 23, 2024 at 10:38 AM
Static CVE Timeline Graph

Affected Systems

Umbraco/umbraco_cms
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-5955-cwv4-h7qh] Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
GitHub Security Advisory: GHSA-5955-cwv4-h7qh Release Date: 2024-10-22 Update Date: 2024-10-22 Severity: Moderate CVE-2024-48927 Base Score: 4.6 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Package Information Package: Umbraco.Cms Affected Versions: >= 10.0.0, Patched Versions: 10.8.7 Description There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode.

News

CVE Alert: CVE-2024-48927
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. No proposed action available.
CVE-2024-48927
Medium Severity Description Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue. As a workaround, derver-side file validation is available to strip script tags from file's content during the file upload process. Read more at https://www.tenable.com/cve/CVE-2024-48927
NA - CVE-2024-48927 - Umbraco, a free and open source .NET content...
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15....
[GHSA-5955-cwv4-h7qh] Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
GitHub Security Advisory: GHSA-5955-cwv4-h7qh Release Date: 2024-10-22 Update Date: 2024-10-22 Severity: Moderate CVE-2024-48927 Base Score: 4.6 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Package Information Package: Umbraco.Cms Affected Versions: >= 10.0.0, Patched Versions: 10.8.7 Description There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode.
CVE-2024-48927 | Umbraco CMS up to 8.18.14/10.8.6/13.5.1 SVG File Preview injection (GHSA-5955-cwv4-h7qh)
A vulnerability, which was classified as problematic , was found in Umbraco CMS up to 8.18.14/10.8.6/13.5.1 . Affected is an unknown function of the component SVG File Preview . The manipulation leads to injection. This vulnerability is traded as CVE-2024-48927 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI