#### Impact
A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed.

#### Workaround
Implement the server side file validation
https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation

Serve all media from an different host (e.g cdn) that where umbraco is hosted

Affected Packages

NuGet Umbraco.CMS

Affected versions: 7.0.0 (fixed in 7.15.11)

NuGet Umbraco.CMS

Affected versions: 8.0.0 (fixed in 8.18.9)

NuGet Umbraco.CMS

Affected versions: 9.0.0 (fixed in 10.7.0)

NuGet Umbraco.CMS

Affected versions: 11.0.0 (fixed in 11.5.0)

NuGet Umbraco.CMS

Affected versions: 12.0.0 (fixed in 12.2.0)

Related CVEs

CVE-2023-49279

Key Information

GHSA ID

GHSA-6xmx-85x3-4cv2

Published

December 13, 2023 1:30 PM

Last Modified

December 13, 2023 1:30 PM

CVSS Score

2.5 /10

Primary Ecosystem

NuGet

Primary Package

Umbraco.CMS

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.