GoogleOSV:GHSA-GVPC-3PJ6-4M9WUmbraco CMS Vulnerable to Stored XSS on Content Page Through Markdown Editor Preview Pane
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Impact
Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application.
Affected versions
Umbraco CMS >= 8.00
Patches
This is fixed in 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer
References
github.com/umbraco/Umbraco-CMS
github.com/umbraco/Umbraco-CMS/commit/1b712fe6ec52aa4e71b3acf63e393c8e6ab85385
github.com/umbraco/Umbraco-CMS/commit/a2684069b1e9976444f60b4b37a80be05b87f6b6
github.com/umbraco/Umbraco-CMS/commit/cbf9f9bcd199d7ca0412be3071d275556f10b7ba
github.com/umbraco/Umbraco-CMS/commit/d090176272d07500dac0daee7c598aa8bb321050
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-gvpc-3pj6-4m9w
nvd.nist.gov/vuln/detail/CVE-2024-35218
Related
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%