GHSA-wv8v-rmw2-25wc

Source

https://github.com/advisories/GHSA-wv8v-rmw2-25wc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-wv8v-rmw2-25wc/GHSA-wv8v-rmw2-25wc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wv8v-rmw2-25wc

Aliases

CVE-2025-24012

Published

2025-01-21T19:59:13Z

Modified

2025-01-21T20:12:05.200561Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

XSS/HTML Injection Vulnerability in Umbraco Backoffice Components

Details

Impact

Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.

Patches

Will be patched in 14.3.2 and 15.1.2.

Note: This issue was reported by Pratik Patil from NetSPI @Nexusss-ppatil

Database specific

{
    "nvd_published_at": "2025-01-21T16:15:14Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T19:59:13Z"
}

References

Affected packages

NuGet / Umbraco.Cms.StaticAssets

Package

Name: Umbraco.Cms.StaticAssets; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms.StaticAssets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.3.2

Affected versions

14.*

14.0.0

14.1.0-rc

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.2.0-rc

14.2.0-rc2

14.2.0-rc3

14.2.0

14.3.0-rc

14.3.0

14.3.1

NuGet / Umbraco.Cms.StaticAssets

Package

Name: Umbraco.Cms.StaticAssets; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms.StaticAssets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0

Fixed

15.1.2

Affected versions

15.*

15.0.0

15.1.0-rc

15.1.0-rc2

15.1.0

15.1.1

npm / @umbraco-cms/backoffice

Package

Name: @umbraco-cms/backoffice; View open source insights on deps.dev
Purl: pkg:npm/%40umbraco-cms/backoffice

Affected ranges

Type: SEMVER
Events: Introduced

14.0.0

Fixed

14.3.2

npm / @umbraco-cms/backoffice

Package

Name: @umbraco-cms/backoffice; View open source insights on deps.dev
Purl: pkg:npm/%40umbraco-cms/backoffice

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0

Fixed

15.1.2