CVE-2019-25137

moderate-risk
Published 2023-05-18

Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

Do I need to act?

!
35.5% chance of exploitation in next 30 days
EPSS score — higher than 64% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Umbraco

References (8)

Exploit https://0xdf.gitlab.io/2020/09/05/htb-remote.html
Exploit https://github.com/Ickarah/CVE-2019-25137-Version-Research
Exploit https://github.com/noraj/Umbraco-RCE
Exploit https://www.exploit-db.com/exploits/46153
Exploit https://0xdf.gitlab.io/2020/09/05/htb-remote.html
Exploit https://github.com/Ickarah/CVE-2019-25137-Version-Research
Exploit https://github.com/noraj/Umbraco-RCE
Exploit https://www.exploit-db.com/exploits/46153
47
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 16/34 · Moderate
Exposure 5/34 · Minimal