CVE-2024-55488
MEDIUMUmbraco CMS 14.3.1 - Authenticated Stored Cross-Site Scripting in Rich Text Display
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.
References (2)
Core 2
Core References
Product
http://umbraco.com
Exploit, Third Party Advisory
https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display/
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
52.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
nuget/Umbraco.Cms.Infrastructure
0 - 15.0.0NuGet
umbraco/umbraco_cms
14.3.1
Published
Jan 22, 2025
Tracked Since
Feb 18, 2026