CVE-2024-35239 LOW

CVE-2024-35239: Stored Cross-site Scripting on Components of Umbraco Forms

Vendor Umbraco

Product Umbraco.Forms.Issues

Weakness CWE-79 · XSS

Published May 28, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

2.7/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

Key dates

02Disclosure timeline

May 28, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-35239 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2024-35239

CWE CWE-79

CVSS 2.7 / LOW

Affected versions

Vendor Umbraco

Product Umbraco.Forms.Issues

Affected >= 13.0.0, < 13.0.1

Vendor Umbraco

Product Umbraco.Forms.Issues

Affected >= 12.0.0, < 12.2.2

Vendor Umbraco

Product Umbraco.Forms.Issues

Affected >= 10.0.0, < 10.5.3

Vendor Umbraco

Product Umbraco.Forms.Issues

Affected < 8.13.13

CVE-2024-35239: Stored Cross-site Scripting on Components of Umbraco Forms

01Description

02Disclosure timeline

03References

04Related CVE