CVE-2026-46616— Umbraco 输入验证错误漏洞

Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

指向未可信站点的URL重定向(开放重定向)

Umbraco 输入验证错误漏洞

Umbraco是丹麦Umbraco公司的一套C#编写的开源的内容管理系统（CMS）。 Umbraco 13.14.0之前版本和17.4.0之前版本存在输入验证错误漏洞，该漏洞源于部分Surface控制器未能验证重定向URL，导致从用户控制查询参数派生RedirectUrl的Razor模板易受恶意重定向攻击。

N/A

N/A