Insecure Defaults Affecting umbracoforms package, versions [0,]


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.08% (35th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DOTNET-UMBRACOFORMS-595765
  • published 28 Jul 2020
  • disclosed 24 Jul 2020
  • credit Adrian Gigliotti from Shearwater Solutions

How to fix?

There is no fixed version for UmbracoForms.

Overview

UmbracoForms is a tool that makes creating contact forms, entry forms and questionnaires just as easy as using Word.

Affected versions of this package are vulnerable to Insecure Defaults. When using the default configuration for upload forms, it is possible to upload arbitrary file types.

The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

PoC by Adrian Gigliotti

  1. Submit a malicious file through a file upload form created using UmbracoForms with default configuration.
  2. In the administrator's view, you can verify that the file has been stored and is available for interaction.