GHSA-p572-p2rj-q5f4

Опубликовано: 28 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 2.7

Описание

Umbraco Forms components vulnerable to Stored Cross-site Scripting

Impact

Authenticated user that has access to edit Forms may inject unsafe code into Forms components.

Patches

Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

References

https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values

Ссылки

Пакеты

Наименование

Umbraco.Forms

nuget

Затронутые версииВерсия исправления

>= 13.0.0, < 13.0.1

13.0.1

Наименование

Umbraco.Forms

nuget

Затронутые версииВерсия исправления

>= 12.0.0, < 12.2.2

12.2.2

Наименование

Umbraco.Forms

nuget

Затронутые версииВерсия исправления

>= 10.0.0, < 10.5.3

10.5.3

Наименование

Umbraco.Forms

nuget

Затронутые версииВерсия исправления

>= 8.0.0, < 8.13.13

8.13.13

EPSS

Процентиль: 68%

0.00568

Низкий

2.7 Low

CVSS3

CVE ID

CVE-2024-35239

Дефекты

CWE-79

Связанные уязвимости

CVE-2024-35239

CVSS3: 2.7

nvd

больше 1 года назад

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

EPSS

Процентиль: 68%

0.00568

Низкий

2.7 Low

CVSS3

CVE ID

CVE-2024-35239

Дефекты

CWE-79