VulnerableCode Package Details - pkg:nuget/UmbracoCms@10.7.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-azpt-qmk7-1ueu	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.	CVE-2023-49279 GHSA-6xmx-85x3-4cv2
VCID-s3pr-pezb-4qf4	Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.	CVE-2023-48227 GHSA-335x-5wcm-8jv2
VCID-wtw6-zcw6-2yd2	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.	CVE-2023-38694 GHSA-xxc6-35r7-796w

Vulnerability

Summary

Aliases

VCID-azpt-qmk7-1ueu

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.

CVE-2023-49279
GHSA-6xmx-85x3-4cv2

VCID-s3pr-pezb-4qf4

Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.

CVE-2023-48227
GHSA-335x-5wcm-8jv2

VCID-wtw6-zcw6-2yd2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.

CVE-2023-38694
GHSA-xxc6-35r7-796w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:34.316497+00:00	GitLab Importer	Fixing	VCID-azpt-qmk7-1ueu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-49279.yml	38.6.0
2026-06-02T04:46:33.869865+00:00	GitLab Importer	Fixing	VCID-wtw6-zcw6-2yd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-38694.yml	38.6.0
2026-06-02T04:46:33.672502+00:00	GitLab Importer	Fixing	VCID-s3pr-pezb-4qf4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-48227.yml	38.6.0