Lucene search

GitHub Advisory DatabaseGHSA-XXC6-35R7-796W

HistoryDec 13, 2023 - 1:17 p.m.

Possible injection of HTML into user invite mails

2023-12-1313:17:37

CWE-79

GitHub Advisory Database

github.com

html injection

user invite

backoffice access

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

Impact

A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended.

Explanation of the vulnerability

A person with access to the backoffice and the “users” section could send a user invite and inject HTML code into the invite message.

Affected configurations

Vulners

Node

umbraco.cmsRange11.0.0≥

umbraco.cmsRange<12.1.0

umbraco.cmsRange9.0.0≥

umbraco.cmsRange<10.7.0

umbraco.cmsRange<8.18.10

CPENameOperatorVersion
umbraco.cmsge11.0.0
umbraco.cmslt12.1.0
umbraco.cmsge9.0.0
umbraco.cmslt10.7.0
umbraco.cmslt8.18.10

Name	Operator	Version
umbraco.cms	ge	11.0.0
umbraco.cms	lt	12.1.0
umbraco.cms	ge	9.0.0
umbraco.cms	lt	10.7.0
umbraco.cms	lt	8.18.10

References

github.com/advisories/GHSA-xxc6-35r7-796w

github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-xxc6-35r7-796w

nvd.nist.gov/vuln/detail/CVE-2023-38694