Description

Umbraco CMS includes a ClientDependency package that is vulnerable to a local file inclusion (LFI) in the default installation. The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website. This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string.

Remediation

The Umbraco team have released a fixed version of the ClientDependency package. For more information consult the Umbraco security advisory listed in web references.

References

Umbraco CMS Local File Inclusion

Security alert - Update ClientDependency immediately

Related Vulnerabilities

WordPress Plugin WP-Lytebox 'pg' Parameter Local File Inclusion (1.3)

WordPress Plugin LearnPress-WordPress LMS Local File Inclusion (4.2.6.8.2)

WordPress Plugin Loco Translate Local File Inclusion (2.2.1)

WordPress Plugin WPCafe-Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce Local File Inclusion (2.2.25)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Local File Inclusion (3.3.0)

Severity

High

Classification

CWE-98 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion