Umbraco CMS 8.5.3 allows an authenticated file upload

Overview :
Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.

Umbraco CMS 8.5.3 – Authenticated FileUpload PoC

Attack Type: File Upload

Product Version: 8.5.3

OWASP Category: Unrestricted File Upload

Solution: Add package integrity mechanisms and/or file extension whitelist/blacklist filtering

Summary: Umbraco CMS 8.5.3 allows an authenticated file upload via the Packages functionality

Technical Description: See CVE-2020-9472.pdf

Exploit: See exploit_local.py

 
Vulnerability Details :
CVE ID :

CVE-2020-9472

Reference Order

References are typically listed in the order below:

  • Initial announcement
  • Response team advisory
  • Vendor acknowledgement/advisory
  • All other public sources
Facebook
Twitter
LinkedIn

Recent Blog Posts

Best End-to-End Encryption Tools for 2025
Top 6 WAF Alternatives for Cloud-Native Apps
Top F5 WAF Alternatives for 2025
Top 10 Bot Mitigation Tools for 2025
Top 5 WAAP Platforms Compared (2025 Guide)

WAF Solution