GHSA-p572-p2rj-q5f4

Source

https://github.com/advisories/GHSA-p572-p2rj-q5f4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p572-p2rj-q5f4/GHSA-p572-p2rj-q5f4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p572-p2rj-q5f4

Aliases

CVE-2024-35239

Published

2024-05-28T20:40:31Z

Modified

2024-06-03T18:49:55.486711Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Umbraco Forms components vulnerable to Stored Cross-site Scripting

Details

Impact

Authenticated user that has access to edit Forms may inject unsafe code into Forms components.

Patches

Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

References

https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values

Database specific

{
    "nvd_published_at": "2024-05-28T21:16:31Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-28T20:40:31Z"
}

References

Affected packages

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.0.1

Affected versions

13.*

13.0.0

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.2.2

Affected versions

12.*

12.0.0

12.1.0-rc1

12.1.0

12.1.1

12.1.2

12.2.0-rc1

12.2.0

12.2.1

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.5.3

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.1.0-rc001

10.1.0

10.1.1

10.1.2

10.1.3

10.2.0-rc001

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.3.0-rc001

10.3.0

10.3.1

10.3.2

10.3.3

10.4.0-rc1

10.4.0

10.5.0-rc1

10.5.0

10.5.1

10.5.2

NuGet / Umbraco.Forms

Package

Name: Umbraco.Forms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Forms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.13.13