Headline
GHSA-c5g6-6xf7-qxp3: Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Impact
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.
Patches
Will be patched in 14.3.1 and 15.0.0.
Workarounds
Ensure that access to the Dictionary section is only granted to trusted users.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-47819
Umbraco CMS vulnerable to stored Cross-site Scripting in the “dictionary name” on Dictionary section
Moderate severity GitHub Reviewed Published Oct 22, 2024 in umbraco/Umbraco-CMS • Updated Oct 22, 2024
Package
npm @umbraco-cms/backoffice (npm)
Affected versions
>= 14.0.0, < 14.3.1
nuget Umbraco.Cms.StaticAssets (NuGet)
Impact
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.
Patches
Will be patched in 14.3.1 and 15.0.0.
Workarounds
Ensure that access to the Dictionary section is only granted to trusted users.
References
- GHSA-c5g6-6xf7-qxp3
Published to the GitHub Advisory Database
Oct 22, 2024
Last updated
Oct 22, 2024