CVE-2023-38694

Summary

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
umbracoUmbraco-CMS>= 8.0.0, < 8.18.10affected
umbracoUmbraco-CMS>= 9.0.0-rc001, < 10.7.0affected
umbracoUmbraco-CMS>= 11.0.0-rc1, < 12.1.0affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

References