CVE-2017-15280
MEDIUMUmbraco CMS < 7.7.3 - XML External Entity Injection via Import Document Type Dialog
Title source: llmDescription
XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
http://issues.umbraco.org/issue/U4-10506
Scores
CVSS v3
5.5
EPSS
0.0019
EPSS Percentile
40.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (2)
nuget/UmbracoCms.Web
0 - 7.7.3NuGet
umbraco/umbraco_cms
< 7.7.2
Published
Oct 12, 2017
Tracked Since
Feb 18, 2026