CVE-2017-15279

Name of the Vulnerable Software and Affected Versions Umbraco CMS versions prior to 7.7.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the nodename parameter, also known as the "page name" parameter, during the creation of a new page. This issue is related to files Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.

Recommendations For Umbraco CMS versions prior to 7.7.3, update to version 7.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the page creation feature to minimize the risk of exploitation. Avoid using the nodename parameter in the affected API endpoint until the issue is resolved.