{"api_version":"1","generated_at":"2026-05-06T06:56:39+00:00","cve":"CVE-2017-15280","urls":{"html":"https://cve.report/CVE-2017-15280","api":"https://cve.report/api/cve/CVE-2017-15280.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-15280","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-15280"},"summary":{"title":"CVE-2017-15280","description":"XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-10-12 08:29:00","updated_at":"2017-10-25 12:53:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64","name":"https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"U4-10506 Importing a specially crafted document type file can cause X… · umbraco/Umbraco-CMS@5dde2ef · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://issues.umbraco.org/issue/U4-10506","name":"http://issues.umbraco.org/issue/U4-10506","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Vendor Advisory"],"title":"U4-10506 - Importing a specially crafted document type file can cause XXE attack","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-15280","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15280","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"15280","vulnerable":"1","versionEndIncluding":"7.7.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"umbraco","cpe5":"umbraco_cms","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-15280","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64","refsource":"CONFIRM","url":"https://github.com/umbraco/Umbraco-CMS/commit/5dde2efe0d2b3a47d17439e03acabb7ea2befb64"},{"name":"http://issues.umbraco.org/issue/U4-10506","refsource":"CONFIRM","url":"http://issues.umbraco.org/issue/U4-10506"}]}},"nvd":{"publishedDate":"2017-10-12 08:29:00","lastModifiedDate":"2017-10-25 12:53:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*","versionEndIncluding":"7.7.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"15280","Ordinal":"112784","Title":"CVE-2017-15280","CVE":"CVE-2017-15280","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"15280","Ordinal":"1","NoteData":"XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"15280","Ordinal":"2","NoteData":"2017-10-12","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"15280","Ordinal":"3","NoteData":"2017-10-12","Type":"Other","Title":"Modified"}]}}}