We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47819

Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section



Description

Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users.

Reserved 2024-10-03 | Published 2024-10-22 | Updated 2024-10-22 | Assigner GitHub_M


MEDIUM: 4.2CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 14.0.0, < 14.3.1
affected

References

github.com/...co-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3

cve.org (CVE-2024-47819)

nvd.nist.gov (CVE-2024-47819)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-47819

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.