CVE-2024-47819 MEDIUM

CVE-2024-47819: Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section

Vendor Umbraco
Product Umbraco-CMS
Weakness CWE-79 · XSS
Published October 22, 2024
Last update October 22, 2024
View on NVD All CVEs

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users.

Key dates

02Disclosure timeline

October 22, 2024 CVE published
October 22, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-57952 WordPress Maps for WP Plugin <= 1.2.5 - Cross Site Scripting (XSS) Vulnerability CVE-2024-43211 WordPress MailChimp Subscribe Form plugin <=4.0.9.9 - Stored Cross-Site Scripting vulnerability CVE-2026-5231 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter CVE-2023-43039 IBM OpenPages with Watson cross-site scripting CVE-2024-11871 Social Media Shortcodes <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting