{"url":"http://public2.vulnerablecode.io/api/packages/66110?format=json","purl":"pkg:nuget/UmbracoCms@12.0.0","type":"nuget","namespace":"","name":"UmbracoCms","version":"12.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46621?format=json","vulnerability_id":"VCID-1rkh-7s4e-vyen","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49089","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30836","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49089"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49089","reference_id":"CVE-2023-49089","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49089"},{"reference_url":"https://github.com/advisories/GHSA-6324-52pr-h4p5","reference_id":"GHSA-6324-52pr-h4p5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6324-52pr-h4p5"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6324-52pr-h4p5","reference_id":"GHSA-6324-52pr-h4p5","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6324-52pr-h4p5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68116?format=json","purl":"pkg:nuget/UmbracoCms@12.3.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.3.0"}],"aliases":["CVE-2023-49089","GHSA-6324-52pr-h4p5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1rkh-7s4e-vyen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46618?format=json","vulnerability_id":"VCID-2exh-k5tm-r3cy","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nUmbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48313","reference_id":"","reference_type":"","scores":[{"value":"0.00572","scoring_system":"epss","scoring_elements":"0.69098","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48313"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48313","reference_id":"CVE-2023-48313","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48313"},{"reference_url":"https://github.com/advisories/GHSA-v98m-398x-269r","reference_id":"GHSA-v98m-398x-269r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v98m-398x-269r"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-v98m-398x-269r","reference_id":"GHSA-v98m-398x-269r","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T14:45:15Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-v98m-398x-269r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68121?format=json","purl":"pkg:nuget/UmbracoCms@12.3.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.3.4"}],"aliases":["CVE-2023-48313","GHSA-v98m-398x-269r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2exh-k5tm-r3cy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46612?format=json","vulnerability_id":"VCID-6hye-45tx-auc9","summary":"Incorrect Authorization\nUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49273","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50125","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49273"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49273","reference_id":"CVE-2023-49273","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49273"},{"reference_url":"https://github.com/advisories/GHSA-cfr5-7p54-4qg8","reference_id":"GHSA-cfr5-7p54-4qg8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cfr5-7p54-4qg8"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-cfr5-7p54-4qg8","reference_id":"GHSA-cfr5-7p54-4qg8","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-cfr5-7p54-4qg8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68121?format=json","purl":"pkg:nuget/UmbracoCms@12.3.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.3.4"}],"aliases":["CVE-2023-49273","GHSA-cfr5-7p54-4qg8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6hye-45tx-auc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46620?format=json","vulnerability_id":"VCID-azpt-qmk7-1ueu","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nUmbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49279","reference_id":"","reference_type":"","scores":[{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63806","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49279"},{"reference_url":"https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N"},{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T14:43:05Z/"}],"url":"https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49279","reference_id":"CVE-2023-49279","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49279"},{"reference_url":"https://github.com/advisories/GHSA-6xmx-85x3-4cv2","reference_id":"GHSA-6xmx-85x3-4cv2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6xmx-85x3-4cv2"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2","reference_id":"GHSA-6xmx-85x3-4cv2","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N"},{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T14:43:05Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6xmx-85x3-4cv2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68132?format=json","purl":"pkg:nuget/UmbracoCms@12.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.2.0"}],"aliases":["CVE-2023-49279","GHSA-6xmx-85x3-4cv2"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-azpt-qmk7-1ueu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46623?format=json","vulnerability_id":"VCID-ehsc-c1uh-tua1","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49278","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54926","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49278"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49278","reference_id":"CVE-2023-49278","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49278"},{"reference_url":"https://github.com/advisories/GHSA-7x74-h8cw-qhxq","reference_id":"GHSA-7x74-h8cw-qhxq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7x74-h8cw-qhxq"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq","reference_id":"GHSA-7x74-h8cw-qhxq","reference_type":"","scores":[{"value":"0.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:27:06Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68121?format=json","purl":"pkg:nuget/UmbracoCms@12.3.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.3.4"}],"aliases":["CVE-2023-49278","GHSA-7x74-h8cw-qhxq"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehsc-c1uh-tua1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45648?format=json","vulnerability_id":"VCID-m8gs-zxzd-e3hu","summary":"Improper Access Control\nUmbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37267","reference_id":"","reference_type":"","scores":[{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.6216","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37267"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f3428833892cde5c6d8441fb041e410e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-31T17:43:26Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f3428833892cde5c6d8441fb041e410e"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d7b91d263e4e103ef19f3644e7b569","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-31T17:43:26Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d7b91d263e4e103ef19f3644e7b569"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/commit/82eae48d098b9deecbdf86cf288b2b18020e1fed","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-31T17:43:26Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/commit/82eae48d098b9deecbdf86cf288b2b18020e1fed"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37267","reference_id":"CVE-2023-37267","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37267"},{"reference_url":"https://github.com/advisories/GHSA-h8wc-r4jh-mg7m","reference_id":"GHSA-h8wc-r4jh-mg7m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h8wc-r4jh-mg7m"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7m","reference_id":"GHSA-h8wc-r4jh-mg7m","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-31T17:43:26Z/"}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66113?format=json","purl":"pkg:nuget/UmbracoCms@12.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.0.1"}],"aliases":["CVE-2023-37267","GHSA-h8wc-r4jh-mg7m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8gs-zxzd-e3hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46617?format=json","vulnerability_id":"VCID-xu9a-vwjv-5ycb","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nUmbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49274","reference_id":"","reference_type":"","scores":[{"value":"0.00368","scoring_system":"epss","scoring_elements":"0.59044","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49274"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49274","reference_id":"CVE-2023-49274","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49274"},{"reference_url":"https://github.com/advisories/GHSA-8qp8-9rpw-j46c","reference_id":"GHSA-8qp8-9rpw-j46c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8qp8-9rpw-j46c"},{"reference_url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c","reference_id":"GHSA-8qp8-9rpw-j46c","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68121?format=json","purl":"pkg:nuget/UmbracoCms@12.3.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.3.4"}],"aliases":["CVE-2023-49274","GHSA-8qp8-9rpw-j46c"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xu9a-vwjv-5ycb"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/UmbracoCms@12.0.0"}