CVE-2024-35239
LOWUmbraco Forms <8.13.13, 13.0.0-13.0.1 - Authenticated Stored Cross-Site Scripting in Forms Components
Title source: llmDescription
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4
Product x_refsource_misc
https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values
Release Notes x_refsource_misc
https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024
Release Notes x_refsource_misc
https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes
Release Notes x_refsource_misc
https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024
Scores
CVSS v3
2.7
EPSS
0.0057
EPSS Percentile
68.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
nuget/Umbraco.Forms
13.0.0 - 13.0.1NuGet
umbraco/umbraco_forms
< 8.13.13
Published
May 28, 2024
Tracked Since
Feb 18, 2026