CVE-2012-10054 (GCVE-0-2012-10054)
Vulnerability from cvelistv5 – Published: 2025-08-13 20:54 – Updated: 2025-11-20 22:28
VLAI?
Summary
Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Credits
Toby Clarke
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2012-10054",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:44:22.995765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:51:44.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"codeEditorSave.asmx SOAP endpoint"
],
"product": "CMS",
"vendor": "Umbraco",
"versions": [
{
"lessThan": "4.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Toby Clarke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUmbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the \u003ccode\u003ecodeEditorSave.asmx\u003c/code\u003e SOAP endpoint, which exposes a \u003ccode\u003eSaveDLRScript\u003c/code\u003e operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the \u003ccode\u003efileName\u003c/code\u003e parameter, attackers can write malicious ASPX scripts directly into the web-accessible \u003ccode\u003e/umbraco/\u003c/code\u003e directory and execute them remotely.\u003c/p\u003e"
}
],
"value": "Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
},
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T22:28:54.447Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/umbraco_upload_aspx.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/19671"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html"
},
{
"tags": [
"product"
],
"url": "https://github.com/umbraco/Umbraco-CMS"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://web.archive.org/web/20111017174609/http://umbraco.codeplex.com/releases/view/73692"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/umbraco-cms-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Umbraco CMS \u003c 4.7.1 codeEditorSave.asmx RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2012-10054",
"datePublished": "2025-08-13T20:54:39.123Z",
"dateReserved": "2025-08-11T17:55:34.802Z",
"dateUpdated": "2025-11-20T22:28:54.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2012-10054\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-08-13T21:15:29.687\",\"lastModified\":\"2025-09-19T17:02:51.163\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Umbraco CMS anteriores a la 4.7.1 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo no autenticado a trav\u00e9s del endpoint SOAP codeEditorSave.asmx, lo que expone una operaci\u00f3n SaveDLRScript que permite la carga de archivos arbitrarios sin autenticaci\u00f3n. Al explotar una vulnerabilidad de path traversal en el par\u00e1metro fileName, los atacantes pueden escribir scripts ASPX maliciosos directamente en el directorio web /umbraco/ y ejecutarlos remotamente.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-434\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.7.1\",\"matchCriteriaId\":\"573AF515-B347-459E-A071-1863468B6F7D\"}]}]}],\"references\":[{\"url\":\"https://github.com/umbraco/Umbraco-CMS\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Product\"]},{\"url\":\"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/umbraco_upload_aspx.rb\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://web.archive.org/web/20111017174609/http://umbraco.codeplex.com/releases/view/73692\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://www.exploit-db.com/exploits/19671\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://www.vulncheck.com/advisories/umbraco-cms-rce\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Patch\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2012-10054\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T13:44:22.995765Z\"}}}], \"references\": [{\"url\": \"https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T13:44:34.253Z\"}}], \"cna\": {\"title\": \"Umbraco CMS \u003c 4.7.1 codeEditorSave.asmx RCE\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Toby Clarke\"}], \"impacts\": [{\"capecId\": \"CAPEC-242\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-242 Code Injection\"}]}, {\"capecId\": \"CAPEC-126\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-126 Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Umbraco\", \"modules\": [\"codeEditorSave.asmx SOAP endpoint\"], \"product\": \"CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"lessThan\": \"4.7.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/umbraco_upload_aspx.rb\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.exploit-db.com/exploits/19671\", \"tags\": [\"exploit\"]}, {\"url\": \"https://web.archive.org/web/20120707033729/http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html\", \"tags\": [\"technical-description\", \"exploit\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS\", \"tags\": [\"product\"]}, {\"url\": \"https://web.archive.org/web/20111017174609/http://umbraco.codeplex.com/releases/view/73692\", \"tags\": [\"vendor-advisory\", \"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/umbraco-cms-rce\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUmbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the \u003ccode\u003ecodeEditorSave.asmx\u003c/code\u003e SOAP endpoint, which exposes a \u003ccode\u003eSaveDLRScript\u003c/code\u003e operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the \u003ccode\u003efileName\u003c/code\u003e parameter, attackers can write malicious ASPX scripts directly into the web-accessible \u003ccode\u003e/umbraco/\u003c/code\u003e directory and execute them remotely.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.7.1\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-20T22:28:54.447Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2012-10054\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T22:28:54.447Z\", \"dateReserved\": \"2025-08-11T17:55:34.802Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-08-13T20:54:39.123Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…