CVE-2024-55488
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display/
- https://docs.umbraco.com/umbraco-cms/develop-with-umbraco/templating-and-rendering/design/stylesheets-javascript
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.