CVE-2015-8813: Umbraco CMS vulnerable to CSRF
8.2
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99215%
CWE
Published
5/17/2022
Updated
8/12/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Umbraco.CMS | nuget | < 7.4.0 | 7.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the Page_Load
function in FeedProxy.aspx.cs
, which handled the 'url' parameter. The pre-patch code validated the host via an XML allowlist but did not restrict the port. The commit 924a016
added a 'requestUri.Port == 80' check to mitigate this. The absence of port validation in the original implementation allowed SSRF via non-80 ports, as confirmed by the CVE description and exploit examples targeting ports 25/8080.