CVE-2023-49279: 
C# vulnerability analysis and mitigation

CVE-2023-49279 affects Umbraco, an ASP.NET content management system (CMS). The vulnerability was discovered and disclosed on December 12, 2023, affecting versions starting from 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0. The issue allows authenticated users with backoffice access to upload SVG files containing malicious scripts (Umbraco Advisory).

The vulnerability is classified as a Stored Cross-site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 5.4 MEDIUM from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while GitHub assigned it a lower score of 3.7 LOW with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows an attacker with backoffice access to upload SVG files containing malicious scripts. If another user can be tricked into loading the media directly in a browser, these scripts can be executed, potentially leading to cross-site scripting attacks (Umbraco Advisory).

The vulnerability has been patched in versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0. For users unable to update immediately, two workarounds are available: implement server-side file validation or serve all media from a different host than where Umbraco is hosted (Umbraco Advisory).