Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Mike Poole 53 posts 165 karma points
    Apr 18, 2024 @ 07:12
    Mike Poole

    CVE2019-25137 vulnerability addressed?

    We recently had a penetration test performed against a 7.15.7 site (we have 12 months of XLTS against Umbraco 7) and the following vulnerability was referenced

    Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

    I cannot find any reference in a security advisory about this High (score: 7.2) vulnerability

    Was this ever addressed, or ignored because the CVE was identified post Umbraco 7 EOL and it has been addressed in versions past 7.15.10?

    I just need confirmation so I can advise the client that upgrading to Umbraco 13 will remove this issue

    Many thanks

  • Huw Reddick 1814 posts 6248 karma points MVP c-trib
    Apr 18, 2024 @ 14:27
    Huw Reddick

    Hi Mike,

    My guess would be it is not relevent for Umbraco 8 onwards, however this is not the place to be asking for official confirmation, it is a community based forum.

  • Jesper Mayntzhusen 3 posts 84 karma points MVP
    Apr 19, 2024 @ 12:22
    Jesper Mayntzhusen

    They released a 7.15.11 with a security fix - probably for this problem. Looking a bit at the source code my guess is this PR is the fix for the problem, and it was introduced with 7.15.11:

Please Sign in or register to post replies

Write your reply to: