Low severityNVD Advisory· Published May 28, 2024· Updated Aug 2, 2024
Stored Cross-site Scripting on Components of Umbraco Forms
CVE-2024-35239
Description
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.FormsNuGet | >= 13.0.0, < 13.0.1 | 13.0.1 |
Umbraco.FormsNuGet | >= 12.0.0, < 12.2.2 | 12.2.2 |
Umbraco.FormsNuGet | >= 10.0.0, < 10.5.3 | 10.5.3 |
Umbraco.FormsNuGet | >= 8.0.0, < 8.13.13 | 8.13.13 |
Affected products
2- umbraco/Umbraco.Forms.Issuesv5Range: >= 13.0.0, < 13.0.1
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-p572-p2rj-q5f4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35239ghsaADVISORY
- docs.umbraco.com/umbraco-forms/developer/configurationghsax_refsource_MISCWEB
- docs.umbraco.com/umbraco-forms/release-notesghsax_refsource_MISCWEB
- docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notesghsax_refsource_MISCWEB
- docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notesghsaWEB
- docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notesghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.