VulnerableCode Package Details - pkg:nuget/Umbraco.CMS@12.3.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1rkh-7s4e-vyen	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.	CVE-2023-49089 GHSA-6324-52pr-h4p5
VCID-2exh-k5tm-r3cy	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.	CVE-2023-48313 GHSA-v98m-398x-269r
VCID-6hye-45tx-auc9	Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.	CVE-2023-49273 GHSA-cfr5-7p54-4qg8
VCID-ehsc-c1uh-tua1	Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.	CVE-2023-49278 GHSA-7x74-h8cw-qhxq
VCID-xu9a-vwjv-5ycb	Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.	CVE-2023-49274 GHSA-8qp8-9rpw-j46c

Vulnerability

Summary

Aliases

VCID-1rkh-7s4e-vyen

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.

CVE-2023-49089
GHSA-6324-52pr-h4p5

VCID-2exh-k5tm-r3cy

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.

CVE-2023-48313
GHSA-v98m-398x-269r

VCID-6hye-45tx-auc9

Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

CVE-2023-49273
GHSA-cfr5-7p54-4qg8

VCID-ehsc-c1uh-tua1

Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

CVE-2023-49278
GHSA-7x74-h8cw-qhxq

VCID-xu9a-vwjv-5ycb

Exposure of Sensitive Information to an Unauthorized Actor Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

CVE-2023-49274
GHSA-8qp8-9rpw-j46c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:37.170117+00:00	GitLab Importer	Fixing	VCID-6hye-45tx-auc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49273.yml	38.6.0
2026-06-02T04:46:36.785821+00:00	GitLab Importer	Fixing	VCID-1rkh-7s4e-vyen	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49089.yml	38.6.0
2026-06-02T04:46:36.261280+00:00	GitLab Importer	Fixing	VCID-2exh-k5tm-r3cy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-48313.yml	38.6.0
2026-06-02T04:46:36.130909+00:00	GitLab Importer	Fixing	VCID-ehsc-c1uh-tua1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49278.yml	38.6.0
2026-06-02T04:46:35.512980+00:00	GitLab Importer	Fixing	VCID-xu9a-vwjv-5ycb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Umbraco.CMS/CVE-2023-49274.yml	38.6.0