CVE-2015-8813 : The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/Fee

The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.

Published 2017-03-03 16:59:00

Updated 2017-03-07 13:46:36

Source MITRE

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF)

Products affected by CVE-2015-8813

Umbraco » Umbraco
Versions up to, including, (<=) 7.3.8
cpe:2.3:a:umbraco:umbraco:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-8813

EPSS FAQ

83.45%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-8813

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
8.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N	2.8	4.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: High Availability: None

CWE ids for CVE-2015-8813

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-8813

http://www.openwall.com/lists/oss-security/2016/02/17/1

oss-security - Re: Re: Umbraco - The open source ASP.NET CMS Multiple Vulnerabilities
Mailing List;Third Party Advisory
http://issues.umbraco.org/issue/U4-7457

Issue Tracking
http://www.openwall.com/lists/oss-security/2016/02/18/8

oss-security - Re: Re: Umbraco - The open source ASP.NET CMS Multiple Vulnerabilities
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/02/16/10

oss-security - Re: Umbraco - The open source ASP.NET CMS Multiple Vulnerabilities
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/02/17/5

oss-security - Re: Umbraco - The open source ASP.NET CMS Multiple Vulnerabilities
Exploit;Mailing List;Third Party Advisory
https://github.com/umbraco/Umbraco-CMS/commit/924a016ffe7ae7ea6d516c07a7852f0095eddbce

Fixes U4-7457 Server side request forgery (xsrf) in feedproxy.aspx · umbraco/Umbraco-CMS@924a016 · GitHub
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2015-8813

Products affected by CVE-2015-8813

Exploit prediction scoring system (EPSS) score for CVE-2015-8813

CVSS scores for CVE-2015-8813

CWE ids for CVE-2015-8813

References for CVE-2015-8813