Description

Umbraco CMS includes a ClientDependency package that is vulnerable to a local file inclusion (LFI) in the default installation. The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website. This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string.

Remediation

The Umbraco team have released a fixed version of the ClientDependency package. For more information consult the Umbraco security advisory listed in web references.

References

Umbraco CMS Local File Inclusion

Security alert - Update ClientDependency immediately

Related Vulnerabilities

WordPress Plugin WP Image Zoom Local File Inclusion (1.46)

WordPress Plugin Spellchecker 'general.php' Local and Remote File Include Vulnerabilities (3.1)

WordPress Plugin Content Blocks (Custom Post Widget) Local File Inclusion (3.3.0)

WordPress Plugin Gwolle Guestbook Remote File Inclusion (1.5.3)

WordPress Plugin AceIDE Local File Inclusion (2.6.2)

Severity

High

Classification

CWE-98 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion