Page 2 of 49 results (0.010 seconds)

CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-47819 – Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section

https://notcve.org/view.php?id=CVE-2024-47819

Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users. • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-c5g6-6xf7-qxp3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-43377 – Umbraco CMS Improper Access Control vulnerability

https://notcve.org/view.php?id=CVE-2024-43377

Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2. • https://github.com/umbraco/Umbraco-CMS/commit/72bef8861d94a39d5cc9530a04c4797b91fcbecf https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hrww-x3fq-xcvh • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-43376 – Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

https://notcve.org/view.php?id=CVE-2024-43376

Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2. • https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004 https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx • CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-35240 – Stored Cross-site Scripting on Print Functionality in Umbraco Commerce

https://notcve.org/view.php?id=CVE-2024-35240

Umbraco Commerce is an open source dotnet ecommerce solution. In affected versions there exists a stored Cross-site scripting (XSS) issue which would enable attackers to inject malicious code into Print Functionality. This issue has been addressed in versions 12.1.4, and 10.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://docs.umbraco.com/umbraco-commerce/release-notes#id-13.0.0-december-13th-2023 https://github.com/umbraco/Umbraco.Commerce.Issues/security/advisories/GHSA-rpj9-xjwm-wr6w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.7EPSS: 0%CPEs: 4EXPL: 0

CVE-2024-35239 – Stored Cross-site Scripting on Components of Umbraco Forms

https://notcve.org/view.php?id=CVE-2024-35239

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). Umbraco Commerce es una solución de formularios web dotnet de código abierto. En las versiones afectadas, un usuario autenticado que tiene acceso para editar formularios puede inyectar código no seguro en los componentes de Forms. • https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •