Insecure Defaults

Affecting umbracoforms package, versions [0,]

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

UmbracoForms is a tool that makes creating contact forms, entry forms and questionnaires just as easy as using Word.

Affected versions of this package are vulnerable to Insecure Defaults. When using the default configuration for upload forms, it is possible to upload arbitrary file types.

The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

PoC by Adrian Gigliotti

  1. Submit a malicious file through a file upload form created using UmbracoForms with default configuration.
  2. In the administrator's view, you can verify that the file has been stored and is available for interaction.

    Remediation

    There is no fixed version for UmbracoForms.

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Credit
Adrian Gigliotti from Shearwater Solutions
CVE
CVE-2020-7685
CWE
CWE-453
Snyk ID
SNYK-DOTNET-UMBRACOFORMS-595765
Disclosed
24 Jul, 2020
Published
28 Jul, 2020