PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8813 Umbraco CVE debrief

CVE-2015-8813 describes a server-side request forgery (SSRF) flaw in Umbraco’s dashboard feed proxy code. According to the CVE record, the Page_Load function in FeedProxy.aspx.cs can be abused through the url parameter, allowing a remote attacker to make the server issue requests to attacker-chosen destinations. NVD rates the issue HIGH and maps it to CWE-918. The CVE description says the issue affects Umbraco before 7.4.0, while the NVD CPE range marks versions through 7.3.8 as vulnerable.

Vendor
Umbraco
Product
CVE-2015-8813
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Umbraco administrators, CMS operators, and hosting teams running affected Umbraco versions should treat this as a priority fix. Any environment exposed to untrusted users or integrating Umbraco dashboards into production should verify it is no longer on a vulnerable release.

Technical summary

The vulnerable code path is identified as Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in the Page_Load function. The issue is triggered via the url parameter and is classified as SSRF (CWE-918). NVD’s CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N, indicating network reachability, no privileges required, user interaction required, and potential impact beyond the vulnerable component. The supplied CVE metadata indicates the affected range is before 7.4.0, with the NVD CPE entry marking versions up to 7.3.8 as vulnerable.

Defensive priority

High. This is a remotely reachable SSRF condition in a CMS component with no privileges required, and the NVD rating is 8.2 (HIGH).

Recommended defensive actions

  • Upgrade Umbraco to a fixed release at or above 7.4.0.
  • Confirm no vulnerable 7.3.8-or-earlier deployments remain in production, staging, or customer-managed instances.
  • Review whether the dashboard feed proxy functionality is exposed in your deployment and restrict access to administrative interfaces where possible.
  • Monitor outbound server requests from Umbraco hosts for unexpected destinations that could indicate SSRF abuse.
  • Use network egress controls and allowlists to reduce the impact of server-side request forgery in case similar issues exist elsewhere.
  • Validate that security scanning and asset inventory cover all Umbraco instances, including abandoned or rarely accessed sites.

Evidence notes

This debrief is based on the supplied CVE record and NVD metadata only. Key evidence in the corpus includes the description of SSRF via the url parameter in FeedProxy.aspx.cs, the CWE-918 classification, the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N, the vulnerable CPE range through version 7.3.8, and the vendor patch reference to commit 924a016ffe7ae7ea6d516c07a7852f0095eddbce. The reference list also includes the Umbraco issue tracker entry U4-7457 and oss-security mailing list items from February 2016.

Official resources

The CVE record was published on 2017-03-03 and later modified on 2026-05-13. The supplied metadata links the issue to February 2016 oss-security postings, the Umbraco issue tracker, and a vendor patch commit. No KEV listing is present in a