CVE-2024-35239

Stored Cross-site Scripting on Components of Umbraco Forms

CVSS 2.7 LOWEPSS 0.3%CWE-79

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.7EPSS 0.3%KEV nãoPoC —Patch —

Lifecycle

28 May 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Affected products

umbraco · Umbraco.Forms.Issues

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4