GHSA-c5g6-6xf7-qxp3

Suggest an improvement
Source
https://github.com/advisories/GHSA-c5g6-6xf7-qxp3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-c5g6-6xf7-qxp3/GHSA-c5g6-6xf7-qxp3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c5g6-6xf7-qxp3
Aliases
Published
2024-10-22T17:50:08Z
Modified
2024-10-22T19:32:47.036714Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Details

Impact

This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.

Patches

Will be patched in 14.3.1 and 15.0.0.

Workarounds

Ensure that access to the Dictionary section is only granted to trusted users.

References

Affected packages

NuGet / Umbraco.Cms.StaticAssets

Package

Name
Umbraco.Cms.StaticAssets
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Cms.StaticAssets

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.3.1

Affected versions

14.*

14.0.0
14.1.0-rc
14.1.0-rc2
14.1.0
14.1.1
14.1.2
14.2.0-rc
14.2.0-rc2
14.2.0-rc3
14.2.0
14.3.0-rc
14.3.0

npm / @umbraco-cms/backoffice

Package

Name
@umbraco-cms/backoffice
View open source insights on deps.dev
Purl
pkg:npm/%40umbraco-cms/backoffice

Affected ranges

Type
SEMVER
Events
Introduced
14.0.0
Fixed
14.3.1