Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): ASP.NET
- Search Type: Search All
- Match: Exact
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-29035 |
Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1. Published: April 17, 2024; 11:15:07 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-28868 |
Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins. Published: March 20, 2024; 4:15:09 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-48003 |
An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the '<meta http-equiv="refresh"' in the WebSocket messages. Published: December 26, 2023; 5:15:13 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-49279 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted. Published: December 12, 2023; 3:15:08 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-49278 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. Published: December 12, 2023; 3:15:08 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-49274 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. Published: December 12, 2023; 3:15:07 PM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-49273 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. Published: December 12, 2023; 2:15:08 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-49089 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0 contain a patch for this issue. Published: December 12, 2023; 2:15:07 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-48313 |
Umbraco is an ASP.NET content management system (CMS). Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting (XSS) vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for this issue. Published: December 12, 2023; 1:15:22 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-48227 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available. Published: December 12, 2023; 12:15:08 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-38694 |
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue. Published: December 12, 2023; 12:15:07 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-49289 |
Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before version 21.12.22.1 are affected. Users are advised to upgrade. There are no known workarounds for this vulnerability. Published: December 04, 2023; 7:15:08 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-36558 |
ASP.NET Core - Security Feature Bypass Vulnerability Published: November 14, 2023; 5:15:29 PM -0500 |
V3.1: 5.5 MEDIUM V2.0:(not available) |
CVE-2023-36038 |
ASP.NET Core Denial of Service Vulnerability Published: November 14, 2023; 5:15:28 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-36560 |
ASP.NET Security Feature Bypass Vulnerability Published: November 14, 2023; 1:15:48 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-41890 |
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible. Published: September 19, 2023; 11:15:52 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-36899 |
ASP.NET Elevation of Privilege Vulnerability Published: August 08, 2023; 3:15:10 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-35391 |
ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability Published: August 08, 2023; 3:15:09 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-37267 |
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1. Published: July 13, 2023; 10:15:09 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-33170 |
ASP.NET and Visual Studio Security Feature Bypass Vulnerability Published: July 11, 2023; 2:15:15 PM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |