Umbraco contains an open proxy weakness. The issue is triggered when input passed via the 'URL' parameter is not properly sanitized before being used in the FeedProxy.aspx script. This may allow an attacker to cause a denial of service or potentially bypass access restrictions or perform an XSS or phishing attack.

Upgrade to version 5 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Delete the FeedProxy.aspx script.

• CVE ID: 2012-1301 (see also: NVD)
• Packet Storm: http://packetstormsecurity.org/files/111619/Umbraco-4.x-Open-Proxy.html
• Mail List Post: http://seclists.org/bugtraq/2012/Apr/38
• Vendor URL: http://www.umbraco.com/
• Other Advisory URL: https://www.trustmatta.com/advisories/MATTA-2012-001.txt

• Florent Daigniere - Matta Consulting

NVD does not currently have a CVSSv2 score assigned.