GHSA-2qrj-g9hq-chph

Source

https://github.com/advisories/GHSA-2qrj-g9hq-chph

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2qrj-g9hq-chph/GHSA-2qrj-g9hq-chph.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2qrj-g9hq-chph

Aliases

CVE-2025-47280

Published

2025-05-13T20:17:36Z

Modified

2025-05-13T20:43:21.071435Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS Calculator
2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U CVSS Calculator

Summary

Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow

Details

Impact

The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).

Patches

This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.

Workarounds

Unpatched or unsupported versions can workaround this issue by using the 'Send email with template (Razor)' workflow instead or writing a custom workflow type.

To avoid accidentally using the vulnerable workflow again, the SendEmail workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15): ```c# using Umbraco.Cms.Core.Composing; using Umbraco.Forms.Core.Providers.Extensions; using Umbraco.Forms.Core.Providers.WorkflowTypes;

internal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer { public void Compose(IUmbracoBuilder builder) => builder.FormsWorkflows().Exclude<SendEmail>(); } ```

Database specific

{
    "nvd_published_at": "2025-05-13T17:16:04Z",
    "cwe_ids": [
        "CWE-116"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:17:36Z"
}

References

Affected packages

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

13.4.2

Affected versions

9.*

9.0.0-beta002

9.0.0-beta003

9.0.0-beta004

9.0.0-rc001

9.0.0

9.0.1

9.1.0-rc001

9.1.0

9.1.1

9.2.0-rc001

9.2.0

9.2.1

9.2.2

9.3.0-rc001

9.3.0

9.4.0-rc001

9.4.0

9.4.1

9.4.2

9.5.0-rc001

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7

9.5.8

9.5.9

10.*

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.1.0-rc001

10.1.0

10.1.1

10.1.2

10.1.3

10.2.0-rc001

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.3.0-rc001

10.3.0

10.3.1

10.3.2

10.3.3

10.4.0-rc1

10.4.0

10.5.0-rc1

10.5.0

10.5.1

10.5.2

10.5.3

10.5.4

10.5.5

10.5.6

10.5.7

11.*

11.0.0-rc1

11.0.0-rc2

11.0.0-rc3

11.0.0

11.0.1

11.0.2

11.0.3

11.1.0-rc001

11.1.0

11.1.1

11.1.2

11.1.3

11.2.0-rc1

11.2.0

11.2.1

12.*

12.0.0-rc1

12.0.0-rc2

12.0.0-rc3

12.0.0-rc4

12.0.0-rc5

12.0.0

12.1.0-rc1

12.1.0

12.1.1

12.1.2

12.2.0-rc1

12.2.0

12.2.1

12.2.2

12.2.3

12.2.4

13.*

13.0.0-rc1

13.0.0-rc2

13.0.0-rc3

13.0.0-rc4

13.0.0-rc5

13.0.0

13.0.1

13.0.2

13.1.0-rc

13.1.0

13.1.1

13.1.2

13.2.0-rc1

13.2.0-rc2

13.2.0

13.2.1

13.2.2

13.2.3

13.2.4

13.2.5

13.3.0-rc1

13.3.0

13.3.1

13.3.2

13.3.3

13.4.0-rc1

13.4.0-rc2

13.4.0-rc3

13.4.0

13.4.1

NuGet / UmbracoForms

Package

Name: UmbracoForms; View open source insights on deps.dev
Purl: pkg:nuget/UmbracoForms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Last affected

8.13.16

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.1.0

7.1.1

7.1.2

7.1.3

7.1.4

7.2.0

7.2.1

7.3.0

7.3.1

7.3.2

7.4.0

7.4.1

7.4.2

7.4.3

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

7.5.10

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.2.0

8.2.1

8.2.2

8.2.3

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.6.0

8.6.1

8.6.2

8.7.0-rc

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.8.0-rc001

8.8.0

8.9.0-rc001

8.9.0

8.9.1

8.10.0-rc001

8.10.0

8.10.1

8.10.2

8.10.3

8.11.0-rc001

8.11.0

8.12.0-rc001

8.12.0

8.12.1

8.12.2

8.13.0-rc001

8.13.0

8.13.1

8.13.2

8.13.3

8.13.4

8.13.5

8.13.6

8.13.7

8.13.8

8.13.9

8.13.10

8.13.11

8.13.12

8.13.13

8.13.14

8.13.15

8.13.16

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

15.1.2

Affected versions

14.*

14.0.0

14.0.1

14.0.2

14.1.0-rc1

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.1.3

14.1.4

14.1.5

14.2.0-rc1

14.2.0-rc2

14.2.0

14.2.1

14.2.2

14.2.3

15.*

15.0.0-rc1

15.0.0-rc2

15.0.0-rc3

15.0.0-rc4

15.0.0

15.0.1

15.0.2

15.0.3

15.1.0-rc1

15.1.0-rc2

15.1.0-rc3

15.1.0

15.1.1