CVE-2025-27602

Medium CVSS: 4.9

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.

Vendor

Umbraco

Product

Umbraco Cms

CWE

CWE-285

Yayın Tarihi

2025-03-11 16:15:18

Güncelleme

2025-09-22 13:57:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-285 Umbraco Cms MEDIUM Umbraco 2025

Referanslar

https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698

Benzer Kayıtlar

Medium

CVE-2026-31832

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability ex…

Medium

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Sett…

High

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identi…

Medium

CVE-2026-24687

Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authent…

High

CVE-2025-68924

In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a…

Medium

CVE-2021-47776

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl par…