VulnerableCode Package Details - pkg:nuget/UmbracoCms@11.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-azpt-qmk7-1ueu Aliases: CVE-2023-49279 GHSA-6xmx-85x3-4cv2	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.	11.5.0 Affected by 0 other vulnerabilities. 12.2.0 Affected by 0 other vulnerabilities.
VCID-m8gs-zxzd-e3hu Aliases: CVE-2023-37267 GHSA-h8wc-r4jh-mg7m	Improper Access Control Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.	11.4.2 Affected by 0 other vulnerabilities. 12.0.1 Affected by 0 other vulnerabilities.
VCID-s3pr-pezb-4qf4 Aliases: CVE-2023-48227 GHSA-335x-5wcm-8jv2	Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.	12.3.0 Affected by 0 other vulnerabilities.
VCID-wtw6-zcw6-2yd2 Aliases: CVE-2023-38694 GHSA-xxc6-35r7-796w	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.	12.1.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-azpt-qmk7-1ueu
Aliases:
CVE-2023-49279
GHSA-6xmx-85x3-4cv2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.

11.5.0
Affected by 0 other vulnerabilities.

12.2.0
Affected by 0 other vulnerabilities.

VCID-m8gs-zxzd-e3hu
Aliases:
CVE-2023-37267
GHSA-h8wc-r4jh-mg7m

Improper Access Control Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.

11.4.2
Affected by 0 other vulnerabilities.

12.0.1
Affected by 0 other vulnerabilities.

VCID-s3pr-pezb-4qf4
Aliases:
CVE-2023-48227
GHSA-335x-5wcm-8jv2

Incorrect Authorization Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.

12.3.0
Affected by 0 other vulnerabilities.

VCID-wtw6-zcw6-2yd2
Aliases:
CVE-2023-38694
GHSA-xxc6-35r7-796w

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.

12.1.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:34.242667+00:00	GitLab Importer	Affected by	VCID-azpt-qmk7-1ueu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-49279.yml	38.6.0
2026-06-02T04:46:33.847274+00:00	GitLab Importer	Affected by	VCID-wtw6-zcw6-2yd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-38694.yml	38.6.0
2026-06-02T04:46:33.647070+00:00	GitLab Importer	Affected by	VCID-s3pr-pezb-4qf4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-48227.yml	38.6.0
2026-06-02T04:45:22.793016+00:00	GitLab Importer	Affected by	VCID-m8gs-zxzd-e3hu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/UmbracoCms/CVE-2023-37267.yml	38.6.0