Vulnerabilities > Umbraco > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-22 | CVE-2024-47819 | Cross-site Scripting vulnerability in Umbraco CMS Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. | 8.7 |
| 2023-05-18 | CVE-2019-25137 | XML Injection (aka Blind XPath Injection) vulnerability in Umbraco CMS Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx. | 7.2 |
| 2020-07-28 | CVE-2020-7685 | Insecure Default Initialization of Resource vulnerability in Umbraco Forms This affects all versions of package UmbracoForms. | 7.5 |
| 2019-10-02 | CVE-2019-13957 | SQL Injection vulnerability in Umbraco 7.3.8 In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter. | 7.5 |
| 2018-08-27 | CVE-2014-10074 | Unrestricted Upload of File with Dangerous Type vulnerability in Umbraco CMS Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. | 7.5 |
| 2017-04-13 | CVE-2012-1301 | Improper Input Validation vulnerability in Umbraco CMS 4.7.0 The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" parameter. | 7.5 |
| 2014-12-27 | CVE-2013-4793 | Improper Authentication vulnerability in Umbraco CMS The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request. | 7.5 |