U4-10506 - Importing a specially crafted document type file can cause XXE attack

Created by Sebastiaan Janssen 06 Oct 2017, 13:14:30 Updated by Tommy Enger 17 Oct 2017, 09:46:25

The attacker can use this vulnerability to read files on the server, or another attack like SSRF to find other open port and service on the network.


Sebastiaan Janssen 06 Oct 2017, 13:15:10

Fixed in https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64

Tommy Enger 17 Oct 2017, 07:22:50

Hi @sebastiaan Is it pssible to give some more information about this vulnerability? How to exploit it? Do you need to be authenticated or can you be anonymous? Would you recommend to upgrade ASAP because of this?

Sebastiaan Janssen 17 Oct 2017, 08:38:25

We've classified this as very low priority. Only if you import a document type (for which you need to be an authenticated administrator) which has been tampered with can this be exploited.

Any administrator in the system will have an easier time just updating a template with some malicious C# in the template editor. :-)

To be extra careful, the advise is: on your live server, don't give anybody access to the settings or developer section.

Tommy Enger 17 Oct 2017, 09:46:25


Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.7.3, 7.6.10


Story Points: 0.5

Cycle: 4