GHSA-c5g6-6xf7-qxp3

Source

https://github.com/advisories/GHSA-c5g6-6xf7-qxp3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-c5g6-6xf7-qxp3/GHSA-c5g6-6xf7-qxp3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c5g6-6xf7-qxp3

Aliases

CVE-2024-47819

Published

2024-10-22T17:50:08Z

Modified

2024-10-22T19:32:09.346750Z

Severity

4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section

Details

Impact

This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.

Patches

Will be patched in 14.3.1 and 15.0.0.

Workarounds

Ensure that access to the Dictionary section is only granted to trusted users.

References

Affected packages

NuGet / Umbraco.Cms.StaticAssets

Package

Name: Umbraco.Cms.StaticAssets; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms.StaticAssets

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.3.1

Affected versions

14.*

14.0.0

14.1.0-rc

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.2.0-rc

14.2.0-rc2

14.2.0-rc3

14.2.0

14.3.0-rc

14.3.0

npm / @umbraco-cms/backoffice

Package

Name: @umbraco-cms/backoffice; View open source insights on deps.dev
Purl: pkg:npm/%40umbraco-cms/backoffice

Affected ranges

Type: SEMVER
Events: Introduced

14.0.0

Fixed

14.3.1