Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Umbraco CMS local file inclusion

Description

Umbraco CMS includes a ClientDependency package that is vulnerable to a local file inclusion (LFI) in the default installation. The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website. This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string.

Remediation

The Umbraco team have released a fixed version of the ClientDependency package. For more information consult the Umbraco security advisory listed in web references.

References

Umbraco CMS Local File Inclusion

Security alert - Update ClientDependency immediately

Related Vulnerabilities

Apache Axis2 xsd local file inclusion

WordPress Plugin Backup by Supsystic Local File Inclusion (2.3.9)

WordPress Plugin Extensive VC Addons for WPBakery page builder Local File Inclusion (1.9)

WordPress Plugin Post Recommendations for WordPress 'api.php' Remote File Include (1.1.2)

WordPress Plugin WordPress Ad Widget Local File Inclusion (2.11.0)

Severity

High

Classification

CWE-98 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion