PatchSiren cyber security CVE debrief

CVE-2015-8814 Umbraco CVE debrief

CVE-2015-8814 describes a cross-site request forgery (CSRF) weakness in Umbraco before 7.4.0 where anti-forgery security measures could be bypassed. The CVE record and NVD classify the issue as high severity (CVSS 8.8) with network attack vector and user interaction required. Official references include the Umbraco issue tracker, an oss-security mailing list post, and the vendor patch commit.

Vendor: Umbraco
Product: CVE-2015-8814
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Operators and developers running affected Umbraco CMS versions before 7.4.0 should care most, especially if administrative or account-management actions are exposed in the browser. Security teams responsible for web application hardening and change control should also review this advisory because the flaw targets request validation and can affect authenticated workflows.

Technical summary

The vulnerability is a CSRF flaw tied to anti-forgery validation bypass in Umbraco. NVD lists CWE-352 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating remote exploitation that depends on a victim interacting with a crafted request or page. The source description notes that the issue was demonstrated by editing user account information in templates.asmx.cs. The official patch reference is the Umbraco GitHub commit 18c3345e47663a358a042652e697b988d6a380eb.

Defensive priority

High. Even though user interaction is required, the impact rating is severe and the flaw affects request integrity in a web application context. Prioritize patching any exposed or internet-facing Umbraco deployments first, then verify that anti-forgery protections are enforced across administrative and account-changing endpoints.

Recommended defensive actions

Upgrade Umbraco to a fixed version at or above 7.4.0.
Review any custom templates, account-management flows, or administrative endpoints for CSRF protections.
Confirm that anti-forgery tokens are enforced consistently on state-changing requests.
Inspect the vendor patch commit and related issue tracker discussion to understand the affected code path.
If immediate upgrading is not possible, reduce exposure of administrative interfaces and require additional access controls while planning remediation.

Evidence notes

All claims here are taken from the supplied CVE/NVD corpus and its official references. The CVE description states that Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct CSRF attacks. NVD lists CWE-352, CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a vulnerable CPE for umbraco 7.3.8. References point to the Umbraco issue tracker, an oss-security mailing list post, and the vendor patch commit. No KEV entry was provided.

Official resources

CVE-2015-8814 CVE record
CVE.org
CVE-2015-8814 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Source reference
[email protected] - Mailing List
Mitigation or vendor reference
[email protected] - Patch

CVE published 2017-03-03 and last modified 2026-05-13 in the supplied record. The issue references indicate disclosure discussion on oss-security and remediation via a vendor patch commit. This debrief uses the CVE publication date for CVE/