CVE-2019-25137

HIGH

Umbraco CMS <7.15.10 - Authenticated RCE

Title source: llm

Description

Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

Exploits (3)

exploitdb WORKING POC

by Gregory Draperi · pythonwebappsaspx

https://www.exploit-db.com/exploits/46153

View Code ZIP pw:eip

nomisec WRITEUP 1 stars

by Ickarah · poc

https://github.com/Ickarah/CVE-2019-25137-Version-Research

View Code ZIP pw:eip

nomisec WORKING POC

by dact91 · poc

https://github.com/dact91/CVE-2019-25137-RCE

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://0xdf.gitlab.io/2020/09/05/htb-remote.html

[Exploit, Third Party Advisory] https://github.com/Ickarah/CVE-2019-25137-Version-Research

[Exploit, Third Party Advisory] https://github.com/noraj/Umbraco-RCE

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46153

Scores

CVSS v3 7.2

EPSS 0.3552

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-91

Status published

Products (1)

umbraco/umbraco_cms 4.11.8 - 7.15.10

Published May 18, 2023

Tracked Since Feb 18, 2026