CVE-2018-17256

Vulnerability

Umbraco CMS version 7.12.3 contains a persistent cross-site scripting vulnerability. An authenticated user with sufficient privileges can inject arbitrary web script or HTML through the Header Name field of content items such as blogs or content pages. The malicious payload is stored and executed when the content's public access settings are updated or removed. [1]

Exploitation

An attacker must have an authenticated session in the Umbraco backoffice with permissions to edit content and manage public access. To exploit the vulnerability, the attacker navigates to a content item's properties, locates the Header Name field, and enters crafted JavaScript as part of the header value. The payload is then triggered when the victim (another backoffice user) updates or removes public access settings for that content. No specific timing or race condition is required; the attack relies on the stored input being rendered unsanitized in a security-relevant action. [1]

Impact

Successful exploitation results in the execution of arbitrary JavaScript in the context of the victim's Umbraco backoffice session. This can lead to session hijacking, defacement, or theft of sensitive data accessible within the administrative interface. The impact is limited to authenticated users who interact with the affected functionality, and the compromise does not extend to unauthenticated site visitors unless the backoffice session is leveraged further. [1]

Mitigation

At the time of publication (November 2018), no official patch or updated version had been released by the vendor. Administrators should restrict content editing permissions to trusted users only, avoid using the Header Name field for unsanitized user input, and monitor for any security updates from the Umbraco CMS project. [1] [2]