PT-2024-16525 · Umbraco · Umbraco Cms
Kushkira
·
Published
2024-11-03
·
Updated
2025-01-22
·
CVE-2024-10761
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Umbraco CMS versions prior to 10.8.8
Umbraco CMS versions prior to 13.5.3
Umbraco CMS versions prior to 14.3.2
Umbraco CMS versions prior to 15.1.2
Description
A vulnerability was found in Umbraco CMS, classified as problematic. The issue affects an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument
culture leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Authenticated users are able to exploit this XSS vulnerability when viewing previewed content.Recommendations
Upgrade to version 10.8.8 to address this issue.
Upgrade to version 13.5.3 to address this issue.
Upgrade to version 14.3.2 to address this issue.
Upgrade to version 15.1.2 to address this issue.
As a temporary workaround, consider restricting access to the /Umbraco/preview/frame?id{} endpoint until a patch is available.
Avoid using the
culture argument in the affected API endpoint until the issue is resolved.Exploit
Fix
Code Injection
Improper Neutralization
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Umbraco Cms