GHSA-fr6r-p8hv-x3c4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fr6r-p8hv-x3c4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-fr6r-p8hv-x3c4/GHSA-fr6r-p8hv-x3c4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fr6r-p8hv-x3c4
- Aliases
- Published
- 2025-06-04T23:50:55Z
- Modified
- 2025-06-05T00:31:16.377267Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
- Details
-
Impact
Via a manipulated API request it's possible to upload a file that doesn't adhere with the configured allowable file extensions.
Patches
Patched in 15.4.2 and 16.0.0.
Workarounds
None available.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2025-06-03T19:15:39Z", "github_reviewed_at": "2025-06-04T23:50:55Z", "cwe_ids": [ "CWE-434" ] }- References
Affected packages
NuGet / Umbraco.Cms
Package
- Name
- Umbraco.Cms
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.Cms
Affected versions
14.*
14.0.0
14.1.0-rc
14.1.0-rc2
14.1.0
14.1.1
14.1.2
14.2.0-rc
14.2.0-rc2
14.2.0-rc3
14.2.0
14.3.0-rc
14.3.0
14.3.1
14.3.2
14.3.3
14.3.4
15.*
15.0.0-rc1
15.0.0-rc2
15.0.0-rc3
15.0.0-rc4
15.0.0
15.1.0-rc
15.1.0-rc2
15.1.0
15.1.1
15.1.2
15.2.0-rc
15.2.0
15.2.1
15.2.2
15.2.3
15.3.0-rc
15.3.0-rc2
15.3.0
15.3.1
15.4.0-rc
15.4.0-rc2
15.4.0
15.4.1