Umbraco CMS 8.5.3 allows an authenticated file upload

Overview :

Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.

Umbraco CMS 8.5.3 – Authenticated FileUpload PoC

Attack Type: File Upload

Product Version: 8.5.3

OWASP Category: Unrestricted File Upload

Solution: Add package integrity mechanisms and/or file extension whitelist/blacklist filtering

Summary: Umbraco CMS 8.5.3 allows an authenticated file upload via the Packages functionality

Technical Description: See CVE-2020-9472.pdf

Exploit: See exploit_local.py

Vulnerability Details :

CVE ID :

CVE-2020-9472

Reference Order

References are typically listed in the order below:

Initial announcement
Response team advisory
Vendor acknowledgement/advisory
All other public sources

Recent Blog Posts

Best End-to-End Encryption Tools for 2025

Top 6 WAF Alternatives for Cloud-Native Apps

Top F5 WAF Alternatives for 2025

Top 10 Bot Mitigation Tools for 2025

Top 5 WAAP Platforms Compared (2025 Guide)

WAF Solution

Recent Case Studies

Government Institution Fortifies Data Defenses with Prophaze

Government Institution Fortifies Data Defenses with Prophaze

December 14, 2023

Prophaze's WAF Redefines Aerospace Security Standards

Prophaze’s WAF Redefines Aerospace Security Standards

December 14, 2023

Industrial IoT Breach mitigated by Prophaze

Industrial IoT Breach Mitigated by Prophaze

December 14, 2023

Recent Press Releases

Indo Pak Cyber Attacks

India Cyber Attack: 85 Million Malicious Requests Blocked by Prophaze

May 20, 2025

Prophaze Named in Gartner’s 2025 WAAP Market Guide

Prophaze Named in Gartner’s 2025 WAAP Market Guide

April 22, 2025

Intel Prophaze Partnership

Intel’s 4th Gen Processors Power Prophaze’s New Era of Smarter, Faster Security

January 23, 2025

img:is([sizes="auto" i],[sizes^="auto," i]){contain-intrinsic-size:3000px 1500px;}.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em;}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none;}:root{--wp--preset--aspect-ratio--square:1;--wp--preset--aspect-ratio--4-3:4/3;--wp--preset--aspect-ratio--3-4:3/4;--wp--preset--aspect-ratio--3-2:3/2;--wp--preset--aspect-ratio--2-3:2/3;--wp--preset--aspect-ratio--16-9:16/9;--wp--preset--aspect-ratio--9-16:9/16;--wp--preset--color--black:#000;--wp--preset--color--cyan-bluish-gray:#abb8c3;--wp--preset--color--white:#fff;--wp--preset--color--pale-pink:#f78da7;--wp--preset--color--vivid-red:#cf2e2e;--wp--preset--color--luminous-vivid-orange:#ff6900;--wp--preset--color--luminous-vivid-amber:#fcb900;--wp--preset--color--light-green-cyan:#7bdcb5;--wp--preset--color--vivid-green-cyan:#00d084;--wp--preset--color--pale-cyan-blue:#8ed1fc;--wp--preset--color--vivid-cyan-blue:#0693e3;--wp--preset--color--vivid-purple:#9b51e0;--wp--preset--color--pink:#ff3467;--wp--preset--color--blue:#2550de;--wp--preset--color--light-blue:#287ac7;--wp--preset--color--dark-blue:#353f58;--wp--preset--color--silver:#656970;--wp--preset--color--clouds:#f7fbff;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple:linear-gradient(135deg,rgba(6,147,227,1) 0%,#9b51e0 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan:linear-gradient(135deg,#7adcb4 0%,#00d082 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange:linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red:linear-gradient(135deg,rgba(255,105,0,1) 0%,#cf2e2e 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray:linear-gradient(135deg,#eee 0%,#a9b8c3 100%);--wp--preset--gradient--cool-to-warm-spectrum:linear-gradient(135deg,#4aeadc 0%,#9778d1 20%,#cf2aba 40%,#ee2c82 60%,#fb6962 80%,#fef84c 100%);--wp--preset--gradient--blush-light-purple:linear-gradient(135deg,#ffceec 0%,#9896f0 100%);--wp--preset--gradient--blush-bordeaux:linear-gradient(135deg,#fecda5 0%,#fe2d2d 50%,#6b003e 100%);--wp--preset--gradient--luminous-dusk:linear-gradient(135deg,#ffcb70 0%,#c751c0 50%,#4158d0 100%);--wp--preset--gradient--pale-ocean:linear-gradient(135deg,#fff5cb 0%,#b6e3d4 50%,#33a7b5 100%);--wp--preset--gradient--electric-grass:linear-gradient(135deg,#caf880 0%,#71ce7e 100%);--wp--preset--gradient--midnight:linear-gradient(135deg,#020381 0%,#2874fc 100%);--wp--preset--font-size--small:13px;--wp--preset--font-size--medium:20px;--wp--preset--font-size--large:36px;--wp--preset--font-size--x-large:42px;--wp--preset--spacing--20:.44rem;--wp--preset--spacing--30:.67rem;--wp--preset--spacing--40:1rem;--wp--preset--spacing--50:1.5rem;--wp--preset--spacing--60:2.25rem;--wp--preset--spacing--70:3.38rem;--wp--preset--spacing--80:5.06rem;--wp--preset--shadow--natural:6px 6px 9px rgba(0,0,0,.2);--wp--preset--shadow--deep:12px 12px 50px rgba(0,0,0,.4);--wp--preset--shadow--sharp:6px 6px 0px rgba(0,0,0,.2);--wp--preset--shadow--outlined:6px 6px 0px -3px rgba(255,255,255,1),6px 6px rgba(0,0,0,1);--wp--preset--shadow--crisp:6px 6px 0px rgba(0,0,0,1);}:where(.is-layout-flex){gap:.5em;}:where(.is-layout-grid){gap:.5em;}body .is-layout-flex{display:flex;}.is-layout-flex{flex-wrap:wrap;align-items:center;}.is-layout-flex > :is(*,div){margin:0;}body .is-layout-grid{display:grid;}.is-layout-grid > :is(*,div){margin:0;}:where(.wp-block-columns.is-layout-flex){gap:2em;}:where(.wp-block-columns.is-layout-grid){gap:2em;}:where(.wp-block-post-template.is-layout-flex){gap:1.25em;}:where(.wp-block-post-template.is-layout-grid){gap:1.25em;}.has-black-color{color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color:var(--wp--preset--color--white) !important;}.has-pale-pink-color{color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color:var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color:var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color:var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color:var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color:var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color:var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color:var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color:var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color:var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color:var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color:var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color:var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color:var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color:var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color:var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background:var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background:var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background:var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background:var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background:var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background:var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background:var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background:var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background:var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background:var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background:var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size:var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size:var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size:var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size:var(--wp--preset--font-size--x-large) !important;}:where(.wp-block-post-template.is-layout-flex){gap:1.25em;}:where(.wp-block-post-template.is-layout-grid){gap:1.25em;}:where(.wp-block-columns.is-layout-flex){gap:2em;}:where(.wp-block-columns.is-layout-grid){gap:2em;}:root :where(.wp-block-pullquote){font-size:1.5em;line-height:1.6;}.e-con.e-parent:nth-of-type(n+4):not(.e-lazyloaded):not(.e-no-lazyload),.e-con.e-parent:nth-of-type(n+4):not(.e-lazyloaded):not(.e-no-lazyload) *{background-image:none !important;}@media screen and (max-height: 1024px){.e-con.e-parent:nth-of-type(n+3):not(.e-lazyloaded):not(.e-no-lazyload),.e-con.e-parent:nth-of-type(n+3):not(.e-lazyloaded):not(.e-no-lazyload) *{background-image:none !important;}.e-con.e-parent:nth-of-type(n+3):not(.e-lazyloaded):not(.e-no-lazyload).nitro-lazy,.e-con.e-parent:nth-of-type(n+3):not(.e-lazyloaded):not(.e-no-lazyload) *.nitro-lazy{background-image:none !important;}}@media screen and (max-height: 640px){.e-con.e-parent:nth-of-type(n+2):not(.e-lazyloaded):not(.e-no-lazyload),.e-con.e-parent:nth-of-type(n+2):not(.e-lazyloaded):not(.e-no-lazyload) *{background-image:none !important;}.e-con.e-parent:nth-of-type(n+2):not(.e-lazyloaded):not(.e-no-lazyload).nitro-lazy,.e-con.e-parent:nth-of-type(n+2):not(.e-lazyloaded):not(.e-no-lazyload) *.nitro-lazy{background-image:none !important;}}.e-con.e-parent:nth-of-type(n+4):not(.e-lazyloaded):not(.e-no-lazyload).nitro-lazy,.e-con.e-parent:nth-of-type(n+4):not(.e-lazyloaded):not(.e-no-lazyload) *.nitro-lazy{background-image:none !important;}body.custom-background{background-color:#fff;}@media (min-width: 992px){.nav__flex-parent{height:90px;}.nav{min-height:90px;}.nav__menu > li > a{line-height:90px;}.nav--sticky.sticky .nav__flex-parent{height:68px;}.nav--sticky.sticky .nav__menu > li > a{line-height:68px;color:#656970;}.nav__menu > li{padding-left:12px;padding-right:12px;}.nav--default{background-color:rgba(255,255,255,0);}.nav--default .nav__menu > li > a{color:#000;}.nav--default .nav__dropdown-menu,.nav--default .nav__menu > .nav__dropdown > .nav__dropdown-menu:before{background-color:#001b70;}.nav--default .nav__dropdown-menu > li > a{color:#fff;}.nav--default .nav__dropdown-menu > li > a:hover,.nav--default .nav__dropdown-menu > li > a:focus{color:#5579fd;}.nav--sticky.sticky{background-color:rgba(255,255,255,1);}.nav--sticky.sticky .nav__menu > li > a:hover,.nav--sticky.sticky .nav__menu > li.active > a,.nav--sticky.sticky .nav__menu > .current_page_parent > a,.nav--sticky.sticky .nav__menu .current-menu-item > a{color:#1e73be;}.nav--transparent{background-color:rgba(255,255,255,0);}.nav--transparent .nav__menu > li > a{color:#fff;}.nav--transparent .nav__menu > li > a:hover,.nav--transparent .nav__menu > li > a:focus .nav--transparent .nav__menu > li.active > a,.nav--transparent .nav__menu > .current_page_parent > a{color:#fff;}.nav--transparent .nav__dropdown-menu,.nav--transparent .nav__menu > .nav__dropdown > .nav__dropdown-menu:before{background-color:#fff;}.nav--transparent .nav__dropdown-menu > li:not(.current-menu-item) > a{color:#656970;}.nav--transparent .nav__dropdown-menu > li > a:hover,.nav--transparent .nav__dropdown-menu > li > a:focus{color:#2550de;}}@media (max-width: 991px){.nav__header{height:60px;}.nav{min-height:60px;background-color:#fff;}.nav__menu > li > a{color:#353f58;}.nav__menu li a{border-bottom-color:rgba(231,234,240,1);}}.nav__header .logo{max-height:60px;}.nav--sticky.sticky .nav__header .logo{max-height:48px;}.page-title{padding-top:90px;padding-bottom:115px;background-color:#fff;}a,.loader,.highlight,.comment-edit-link,.footer .widget.widget_calendar a,.widget_rss .rsswidget:hover,.widget_recent_entries a:hover,.widget_recent_comments a:hover,.widget_nav_menu a:hover,.widget_archive a:hover,.widget_pages a:hover,.widget_categories a:hover,.widget_meta a:hover,.footer__nav-menu li a:hover,.footer__widgets .widget a:hover,.copyright a:hover,.copyright a:focus,.link-underline:hover,.link-underline:focus,.case-study__category:hover,.case-study__category:focus{color:#0c8ff8;}.btn,.btn--color,button,input[type="button"],input[type="reset"],input[type="submit"],.button,.btn--button:focus,.btn:hover,.elementor-widget-button .elementor-button,a.cc-btn.cc-dismiss,.mc4wp-form-fields input[type=submit]:focus,.post-password-form label + input,#back-to-top:hover,.widget_tag_cloud a:hover,.entry__tags a:hover,.page-numbers.current,.pagination a:hover,.link-underline:after,.project-filter a.active,.project-filter a:hover,.project-filter a:focus{background-color:#0c8ff8;}input:focus,textarea:focus{border-color:#1f1ddb;}.elementor-widget-tabs .elementor-tab-title.elementor-active{border-top-color:#0c8ff8;}.blog-section,.archive-section,.search-results-section{background-color:#fff;}.nav--default .nav__menu > li > a:hover,.nav--default .nav__menu > li > a:focus,.nav--default .nav__menu > li.active > a,.nav--default .nav__menu > .current_page_parent > a,.nav--default .nav__menu .current-menu-item > a{color:#1e73be;}.nav--default .nav__btn{background-color:#001b70;color:#fff;}.nav--default .nav__btn:hover,.nav--default .nav__btn:focus{background-color:#d11c46;}.nav--sticky.sticky .nav__btn{background-color:#001b70;color:#fff;}.nav--transparent .nav__btn{background-color:#ff3467;color:#fff;}.nav--transparent .nav__btn:hover,.nav--default .nav__btn:focus{background-color:#81d742;}.nav__icon-toggle-bar{background-color:#282e38;}.page-title__title{color:#353f58;}.page-title__subtitle{color:#656970;}.breadcrumbs-wrap{background-color:#f7fbff;}.breadcrumbs a{color:#353f58;}.breadcrumbs__separator{color:#656970;}.breadcrumbs > span{color:#656970;}.entry__article p a,.entry__article li:not(.wp-social-link) a{color:#000;}.entry__meta li,.entry__meta a,.comment-date{color:#fff;}h1,h2,h3,h4,h5,h6{color:#353f58;}body,.deo-newsletter-gdpr-checkbox__label,figcaption,.comment-form-cookies-consent label,.pagination span,.pagination a{color:#656970;}.elementor-widget-wp-widget-recent-posts a,.widget_recent_entries a,.elementor-widget-wp-widget-nav_menu a,.widget_nav_menu a,.elementor-widget-wp-widget-categories a,.widget_categories a,.elementor-widget-wp-widget-pages a,.widget_pages a,.elementor-widget-wp-widget-pages-archives a,.widget_archive a,.elementor-widget-wp-widget-meta a,.widget_meta a{color:#656970;}.footer{background-color:#032747;}.footer__bottom,.footer{border-color:#fff;}.footer .widget-title{color:#000;}.footer,.footer .social,.footer__nav-menu li a,.footer .widget_recent_entries a,.footer .widget_nav_menu a,.footer .widget_categories a,.footer .widget_pages a,.footer .widget_archive a,.footer .widget_meta a{color:#fff;}.copyright,.copyright a{color:#fff;}.footer__col-2 > .widget:first-child .widget-title{color:#46d19b;}.footer__col-2 > .widget:last-child .widget-title{color:#fff;}.footer__col-3 > .widget:first-child .widget-title{color:#fff;}.footer__col-3 > .widget:last-child .widget-title{color:#f38e26;}.cc-window{background-color:#114a9a;}.cc-message{color:#fff;}.cc-link,.cc-link:active,.cc-link:visited,.cc-link:hover,.cc-link:focus{color:#fff;}a.cc-btn.cc-dismiss{background-color:#3f890b;color:#fff;}h1,.h1{font-family:Rubik;font-size:38px;font-weight:500;letter-spacing:-.05em;line-height:1.3;}h2,.h2{font-family:Rubik;font-size:32px;font-weight:500;letter-spacing:-.05em;line-height:1.3;}h3,.h3{font-family:Lato;}h4,.h4{font-family:Rubik;font-size:24px;font-weight:500;letter-spacing:-.05em;line-height:1.3;}h5,.h5{font-family:Rubik;font-size:20px;font-weight:500;letter-spacing:-.05em;line-height:1.3;}h6,.elementor-widget-tabs .elementor-tab-title,.elementor-accordion .elementor-tab-title{font-family:Rubik;font-size:16px;font-weight:500;letter-spacing:-.05em;line-height:1.3;}body,input{font-size:15px;}.entry__article{font-size:1.125rem;line-height:1.8;}.nav__menu li a{font-size:16px;}