Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mike Poole 53 posts 165 karma points
    Apr 18, 2024 @ 07:12
    Mike Poole
    0

    CVE2019-25137 vulnerability addressed?

    We recently had a penetration test performed against a 7.15.7 site (we have 12 months of XLTS against Umbraco 7) and the following vulnerability was referenced

    https://nvd.nist.gov/vuln/detail/CVE-2019-25137

    Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

    I cannot find any reference in a security advisory about this High (score: 7.2) vulnerability

    Was this ever addressed, or ignored because the CVE was identified post Umbraco 7 EOL and it has been addressed in versions past 7.15.10?

    I just need confirmation so I can advise the client that upgrading to Umbraco 13 will remove this issue

    Many thanks

    Copy Link
  • Huw Reddick 1932 posts 6722 karma points MVP 2x c-trib
    Apr 18, 2024 @ 14:27
    Huw Reddick
    1

    Hi Mike,

    My guess would be it is not relevent for Umbraco 8 onwards, however this is not the place to be asking for official confirmation, it is a community based forum.

    Copy Link
  • Jesper Mayntzhusen 3 posts 84 karma points MVP 2x
    Apr 19, 2024 @ 12:22
    Jesper Mayntzhusen
    0

    They released a 7.15.11 with a security fix - probably for this problem. Looking a bit at the source code my guess is this PR is the fix for the problem, and it was introduced with 7.15.11: https://github.com/umbraco/Umbraco-CMS/pull/14740

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies