Using the directory back payload (“/../”) in a package name allows placement of package in other folders.

GHSA-6324-52pr-h4p5 · CVE-2023-49089

Published Dec 13, 2023 · Modified Feb 16, 2024

Description

Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location.

The “Package” section in Umbraco Backoffice allows a logged in user to write folders outside of the default package directory.

Ready to move

Free, no credit card | First findings in minutes