CVE-2025-23041 MEDIUM

CVE-2025-23041: Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms

Vendor Umbraco
Product Umbraco.Forms.Issues
Weakness CWE-20 · Input validation
Published January 14, 2025
Last update January 14, 2025

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

January 14, 2025 CVE published
January 14, 2025 Record updated