We recently had a penetration test performed against a 7.15.7 site (we have 12 months of XLTS against Umbraco 7) and the following vulnerability was referenced
Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.
I cannot find any reference in a security advisory about this High (score: 7.2) vulnerability
Was this ever addressed, or ignored because the CVE was identified post Umbraco 7 EOL and it has been addressed in versions past 7.15.10?
I just need confirmation so I can advise the client that upgrading to Umbraco 13 will remove this issue
My guess would be it is not relevent for Umbraco 8 onwards, however this is not the place to be asking for official confirmation, it is a community based forum.
They released a 7.15.11 with a security fix - probably for this problem.
Looking a bit at the source code my guess is this PR is the fix for the problem, and it was introduced with 7.15.11:
https://github.com/umbraco/Umbraco-CMS/pull/14740
CVE2019-25137 vulnerability addressed?
We recently had a penetration test performed against a 7.15.7 site (we have 12 months of XLTS against Umbraco 7) and the following vulnerability was referenced
https://nvd.nist.gov/vuln/detail/CVE-2019-25137
I cannot find any reference in a security advisory about this High (score: 7.2) vulnerability
Was this ever addressed, or ignored because the CVE was identified post Umbraco 7 EOL and it has been addressed in versions past 7.15.10?
I just need confirmation so I can advise the client that upgrading to Umbraco 13 will remove this issue
Many thanks
Hi Mike,
My guess would be it is not relevent for Umbraco 8 onwards, however this is not the place to be asking for official confirmation, it is a community based forum.
They released a 7.15.11 with a security fix - probably for this problem. Looking a bit at the source code my guess is this PR is the fix for the problem, and it was introduced with 7.15.11: https://github.com/umbraco/Umbraco-CMS/pull/14740
is working on a reply...