CVE-2025-32017

Published: Apr 8, 2025

Modified: Apr 9, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.

Vendor	Product	Versions
umbraco	Umbraco-CMS	affected `>= 14.0.0--preview004, < 14.3.4` affected `>= 15.0.0-rc1, < 15.3.1`

Weaknesses (CWE)

CWE-23

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-q62r-8ppj-xvf4

x_refsource_CONFIRM

https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833

x_refsource_MISC

https://github.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-32017

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References