CVE-2023-49089: 
C# vulnerability analysis and mitigation

Umbraco, an ASP.NET content management system (CMS), disclosed a path traversal vulnerability (CVE-2023-49089) affecting versions from 8.0.0 up to versions 8.18.10, 10.8.1, and 12.3.0. The vulnerability allows backoffice users with package creation permissions to perform path traversal attacks, potentially writing files outside of the expected location. The issue was patched in versions 8.18.10, 10.8.1, and 12.3.0 (GitHub Advisory).

The vulnerability exists in the Package section of the Umbraco Backoffice, where authenticated users with appropriate permissions can exploit path traversal to write folders outside of the default package directory. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, while GitHub assessed it with a score of 7.7 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N (NVD).

The vulnerability allows authenticated users with package creation permissions to write files outside of the intended package directory, potentially compromising the system's integrity by placing files in unauthorized locations (GitHub Advisory).

The vulnerability has been patched in Umbraco versions 8.18.10, 10.8.1, and 12.3.0. Users are advised to upgrade to these or later versions to address the security issue (GitHub Advisory).