CVE-2017-15279
MEDIUMUmbraco CMS < 7.7.3 - Stored Cross-Site Scripting via Page Name Parameter
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
http://issues.umbraco.org/issue/U4-10497
Patch, Third Party Advisory x_refsource_confirm
https://github.com/umbraco/Umbraco-CMS/commit/fe2b86b681455ac975b294652064b2718d4e2ba2
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
41.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
nuget/UmbracoCMS.Web
0 - 7.7.3NuGet
umbraco/umbraco_cms
< 7.7.2
Published
Oct 12, 2017
Tracked Since
Feb 18, 2026