PatchSiren cyber security CVE debrief

CVE-2015-8815 Umbraco CVE debrief

CVE-2015-8815 covers multiple cross-site scripting (XSS) issues in Umbraco's media page, developer data edit page, and form page. The vulnerable behavior is tied to the name parameter, allowing remote attackers to inject arbitrary web script or HTML in affected installations. NVD rates the issue as medium severity (CVSS 6.1) and classifies it as CWE-79.

Vendor: Umbraco
Product: CVE-2015-8815
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Umbraco administrators, application owners, and developers responsible for CMS back-office security should prioritize this issue if they run affected Umbraco versions or maintain custom integrations around the listed admin pages.

Technical summary

The NVD record describes XSS vectors affecting the name parameter on three Umbraco pages: the media page, the developer data edit page, and the form page. The vulnerability is remote, requires user interaction, and can affect confidentiality and integrity when malicious script executes in a victim's browser. NVD maps the weakness to CWE-79 and lists affected versions up to 7.3.8 in its CPE criteria, while the narrative description says versions before 7.4.0.

Defensive priority

Medium priority. This is not marked as KEV and there is no supplied evidence of active exploitation, but XSS in administrative interfaces can still lead to session compromise, unauthorized actions, or content tampering if left unpatched.

Recommended defensive actions

Upgrade Umbraco to 7.4.0 or later, consistent with the vulnerability description.
Review any custom back-office extensions or templates that render the affected name field and ensure output encoding is applied.
Validate that admin-facing pages correctly encode untrusted input before rendering HTML.
Restrict administrative access and use least-privilege accounts to reduce impact if a browser-based payload executes.
Confirm remediation by testing the affected pages in a staging environment after upgrade.

Evidence notes

Primary evidence comes from the official NVD record for CVE-2015-8815, which lists CWE-79, a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and affected Umbraco versions through 7.3.8 in the CPE criteria. The CVE description states the issue affects Umbraco before 7.4.0 and identifies the media page, developer data edit page, and form page as affected paths. The supplied references point to the Umbraco issue tracker entry U4-7461 and an oss-security mailing list post.

Official resources

CVE-2015-8815 CVE record
CVE.org
CVE-2015-8815 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Issue Tracking
Source reference
[email protected] - Mailing List

The CVE was published by NVD on 2017-03-03 and last modified on 2026-05-13. The supplied references include the Umbraco issue tracker and an oss-security mailing list post, which provide disclosure context for the vulnerability.