CVE-2023-38694

Name of the Vulnerable Software and Affected Versions Umbraco versions 8.0.0 through 8.18.9 Umbraco versions 8.18.10 is not affected, but versions prior to 10.7.0 are affected, so Umbraco versions 10.0.0 through 10.6.9 Umbraco versions 12.0.0 through 12.0.9

Description A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. This can be achieved by a person with access to the backoffice and the "users" section, who could send a user invite and inject HTML code into the invite message.

Recommendations For Umbraco versions 8.0.0 through 8.18.9, update to version 8.18.10 or later. For Umbraco versions 10.0.0 through 10.6.9, update to version 10.7.0 or later. For Umbraco versions 12.0.0 through 12.0.9, update to version 12.1.0 or later.