CVE-2024-35239 – umbraco.forms

Package

Manager: nuget
Name: umbraco.forms
Vulnerable Version: >=13.0.0 <13.0.1 || >=12.0.0 <12.2.2 || >=10.0.0 <10.5.3 || >=8.0.0 <8.13.13

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00252 pctl0.48365

Details

Umbraco Forms components vulnerable to Stored Cross-site Scripting ### Impact Authenticated user that has access to edit Forms may inject unsafe code into Forms components. ### Patches Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). ### References https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values

Metadata

Created: 2024-05-28T20:40:31Z
Modified: 2024-06-03T18:29:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p572-p2rj-q5f4/GHSA-p572-p2rj-q5f4.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-p572-p2rj-q5f4
Finding: F425
Auto approve: 1