CVE-2017-15280

Published: Oct 12, 2017Modified: May 13, 2026

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.

Affected (1)

Products: Umbraco: Umbraco Cms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Umbraco Umbraco Cms	Up to 7.7.2

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

http://issues.umbraco.org/issue/U4-10506

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64

Source: cve@mitre.org

PatchThird Party Advisory

http://issues.umbraco.org/issue/U4-10506

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.