Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mike Poole 53 posts 165 karma points
    Apr 18, 2024 @ 07:12
    Mike Poole
    0

    CVE2019-25137 vulnerability addressed?

    We recently had a penetration test performed against a 7.15.7 site (we have 12 months of XLTS against Umbraco 7) and the following vulnerability was referenced

    https://nvd.nist.gov/vuln/detail/CVE-2019-25137

    Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

    I cannot find any reference in a security advisory about this High (score: 7.2) vulnerability

    Was this ever addressed, or ignored because the CVE was identified post Umbraco 7 EOL and it has been addressed in versions past 7.15.10?

    I just need confirmation so I can advise the client that upgrading to Umbraco 13 will remove this issue

    Many thanks

  • Huw Reddick 1814 posts 6248 karma points MVP c-trib
    Apr 18, 2024 @ 14:27
    Huw Reddick
    1

    Hi Mike,

    My guess would be it is not relevent for Umbraco 8 onwards, however this is not the place to be asking for official confirmation, it is a community based forum.

  • Jesper Mayntzhusen 3 posts 84 karma points MVP
    Apr 19, 2024 @ 12:22
    Jesper Mayntzhusen
    0

    They released a 7.15.11 with a security fix - probably for this problem. Looking a bit at the source code my guess is this PR is the fix for the problem, and it was introduced with 7.15.11: https://github.com/umbraco/Umbraco-CMS/pull/14740

Please Sign in or register to post replies

Write your reply to:

Draft