CVE-2017-15280: Improper Restriction of XML External Entity Reference

October 12, 2017 (updated October 25, 2017)

XML external entity (XXE) vulnerability in Umbraco CMS allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.

References

issues.umbraco.org/issue/U4-10506
github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64
nvd.nist.gov/vuln/detail/CVE-2017-15280

Code Behaviors & Features

Detect and mitigate CVE-2017-15280 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →