Umbraco Forms
CVE-2024-35239
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
AnalysisAI
Umbraco Commerce is an open source dotnet web forms solution. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). Affected products include: Umbraco Umbraco Forms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Umbraco Forms
View allFile upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a craf
Umbraco Forms versions up to 8.13.16 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.5).
This affects all versions of package UmbracoForms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi
Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary fil
Umbraco Forms is a form builder that integrates with the Umbraco content management system. Rated low severity (CVSS 2.3
Umbraco.Forms is a web form framework written for the nuget ecosystem. Rated medium severity (CVSS 5.8), this vulnerabil
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today