CVE-2024-35239
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
28/05/2024
Last modified:
05/01/2026
Description
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
Impact
Base Score 3.x
2.70
Severity 3.x
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:* | 8.13.13 (excluding) | |
| cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:* | 9.0.0 (including) | 10.5.3 (excluding) |
| cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:* | 11.0.0 (including) | 12.2.2 (excluding) |
| cpe:2.3:a:umbraco:umbraco_forms:*:*:*:*:*:*:*:* | 13.0.0 (including) | 13.0.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values
- https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024
- https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes
- https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024
- https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4
- https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values
- https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024
- https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes
- https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024
- https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4