Description

Umbraco CMS includes a ClientDependency package that is vulnerable to a local file inclusion (LFI) in the default installation. The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website. This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string.

Remediation

The Umbraco team have released a fixed version of the ClientDependency package. For more information consult the Umbraco security advisory listed in web references.

References

Umbraco CMS Local File Inclusion

Security alert - Update ClientDependency immediately

Related Vulnerabilities

WordPress Plugin Localize My Post Local File Inclusion (1.0)

Joomla! Core 3.x.x Local File Inclusion (3.0.0 - 3.9.25)

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Local File Inclusion (1.3.64)

WordPress Plugin Photocart Link Local File Inclusion (1.6)

WordPress Plugin Relocate Upload 'abspath' Parameter Remote File Include (0.14)

Severity

High

Classification

CWE-98 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion