Headline
GHSA-p572-p2rj-q5f4: Umbraco Forms components vulnerable to Stored Cross-site Scripting
Impact
Authenticated user that has access to edit Forms may inject unsafe code into Forms components.
Patches
Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
References
https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35239
Umbraco Forms components vulnerable to Stored Cross-site Scripting
Package
nuget Umbraco.Forms (NuGet)
Affected versions
>= 13.0.0, < 13.0.1
>= 12.0.0, < 12.2.2
>= 10.0.0, < 10.5.3
>= 8.0.0, < 8.13.13
Patched versions
13.0.1
12.2.2
10.5.3
8.13.13
Description
Published to the GitHub Advisory Database
May 28, 2024
Last updated
May 28, 2024