PT-2024-26402 · Umbraco · Umbraco Commerce
Raphaelcssilva
·
Published
2024-05-28
·
Updated
2024-05-29
·
CVE-2024-35239
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Umbraco Commerce versions prior to 8.13.13
Umbraco Commerce versions prior to 10.5.3
Umbraco Commerce versions prior to 12.2.2
Umbraco Commerce versions prior to 13.0.1
Description
An issue exists where an authenticated user with access to edit Forms can inject unsafe code into Forms components.
Recommendations
For versions prior to 8.13.13, upgrade to version 8.13.13 and configure TitleAndDescription:AllowUnsafeHtmlRendering to mitigate the issue.
For versions prior to 10.5.3, upgrade to version 10.5.3 and configure TitleAndDescription:AllowUnsafeHtmlRendering to mitigate the issue.
For versions prior to 12.2.2, upgrade to version 12.2.2 and configure TitleAndDescription:AllowUnsafeHtmlRendering to mitigate the issue.
For versions prior to 13.0.1, upgrade to version 13.0.1 and configure TitleAndDescription:AllowUnsafeHtmlRendering to mitigate the issue.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Umbraco Commerce