Publish GHSA-54mj-vcvj-q3v5

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-54mj-vcvj-q3v5/GHSA-54mj-vcvj-q3v5.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-54mj-vcvj-q3v5",
-  "modified": "2026-01-03T00:24:47Z",
+  "modified": "2026-01-22T16:53:47Z",
   "published": "2025-12-22T21:30:33Z",
   "aliases": [
     "CVE-2025-67288"
   ],
   "summary": "Umbraco CMS has an arbitrary file upload vulnerability",
-  "details": "An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.",
+  "details": "An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. While Umbraco provides [hooks to perform file validation](https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation), it does not do implement filtering by default. Users are expected to implement their own validation.\n\nNote: This vulnerability is [disputed by Ubraco](https://github.com/github/advisory-database/pull/6633).",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -44,6 +44,14 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67288"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/github/advisory-database/pull/6633"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/umbraco/Umbraco-CMS"