PT-2023-26559 · Umbraco · Umbraco

Bergmania

Published

2023-12-12

Updated

2023-12-18

CVE-2023-38694

CVSS v3.1

3.5

Low

Vector

AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Umbraco versions 8.0.0 through 8.18.9 Umbraco versions 8.18.10 is not affected, but versions prior to 10.7.0 are affected, so Umbraco versions 10.0.0 through 10.6.9 Umbraco versions 12.0.0 through 12.0.9

Description A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. This can be achieved by a person with access to the backoffice and the "users" section, who could send a user invite and inject HTML code into the invite message.

Recommendations For Umbraco versions 8.0.0 through 8.18.9, update to version 8.18.10 or later. For Umbraco versions 10.0.0 through 10.6.9, update to version 10.7.0 or later. For Umbraco versions 12.0.0 through 12.0.9, update to version 12.1.0 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-38694

GHSA-XXC6-35R7-796W

Affected Products

Umbraco

PT-2023-26559 · Umbraco · Umbraco

CVE-2023-38694

Weakness Enumeration

Related Identifiers

Affected Products

References · 7