Possible injection of HTML into user invite mails

2023-12-1313:17:37

Google

osv.dev

injection

html

user invite

backoffice

vulnerability

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

Impact

A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended.

Explanation of the vulnerability

A person with access to the backoffice and the “users” section could send a user invite and inject HTML code into the invite message.

CPENameOperatorVersion
umbraco.cmseq9.5.0-rc
umbraco.cmseq10.5.0-rc
umbraco.cmseq10.0.1
umbraco.cmseq10.2.0
umbraco.cmseq11.3.1
umbraco.cmseq11.4.1
umbraco.cmseq10.6.0
umbraco.cmseq10.0.0-rc1
umbraco.cmseq9.1.1
umbraco.cmseq10.6.0-rc

Name	Operator	Version
umbraco.cms	eq	9.5.0-rc
umbraco.cms	eq	10.5.0-rc
umbraco.cms	eq	10.0.1
umbraco.cms	eq	10.2.0
umbraco.cms	eq	11.3.1
umbraco.cms	eq	11.4.1
umbraco.cms	eq	10.6.0
umbraco.cms	eq	10.0.0-rc1
umbraco.cms	eq	9.1.1
umbraco.cms	eq	10.6.0-rc