Nul800Sebastiaan

**Name of the Vulnerable Software and Affected Versions** Umbraco CMS versions prior to 7.7.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `nodename` parameter, also known as the "page name" parameter, during the creation of a new page. This issue is related to files Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs. **Recommendations** For Umbraco CMS versions prior to 7.7.3, update to version 7.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the page creation feature to minimize the risk of exploitation. Avoid using the `nodename` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Umbraco CMS versions prior to 7.7.3 **Description** The issue allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts, also known as Server-Side Request Forgery (SSRF). This is related to the file `Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs`. **Recommendations** For Umbraco CMS versions prior to 7.7.3, update to version 7.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `importDocumenttype.aspx.cs` file to minimize the risk of exploitation.