MEDIUM 6.5

GHSA-936x-wgqv-hhgq

Authenticated path traversal in Umbraco CMS

Details

An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / UmbracoCms

Introduced in: 0 Fixed in: 8.9.2

Fix dotnet add package UmbracoCms --version 8.9.2

References

https://nvd.nist.gov/vuln/detail/CVE-2020-5811 [ADVISORY]
https://www.tenable.com/security/research/tra-2020-59 [WEB]
http://packetstormsecurity.com/files/163965/Umbraco-CMS-8.9.1-Traversal-Arbitrary-File-Write.html [WEB]