Brief Description:
A medium-severity vulnerability was identified in the CMS, where the application did not properly validate uploaded files. This flaw allowed the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files could be used to execute malicious actions or compromise the users' systems.
Affected Versions:
EPiServer.CMS.UI versions before 12.32.0.
Solutions and Mitigations:
Upgrade to EPiServer.CMS.UI version 12.32.0, which includes patches to restrict file uploads and validate file types appropriately.
For Users that Cannot Upgrade:
Users unable to upgrade to the fixed version should implement the following mitigations:
- File Type Validation: Configure the application to accept only a strict set of allowed file types, rejecting executable and potentially malicious formats such as doc, HTML, and SVG.
- Antivirus Scanning: Integrate a real-time antivirus scanning solution to scan all uploaded files before storing them on the server or presenting them to users.
Severity:
Medium
CVSS Score:
6.3
CVE ID:
CVE-2025-22389
Date Published:
January 3, 2025
Please sign in to leave a comment.