Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
References
Configurations
No configuration.
History
21 Nov 2024, 09:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values - | |
References | () https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 - | |
References | () https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes - | |
References | () https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 - | |
References | () https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4 - |
29 May 2024, 13:02
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 May 2024, 21:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-05-28 21:16
Updated : 2024-11-21 09:20
NVD link : CVE-2024-35239
Mitre link : CVE-2024-35239
CVE.ORG link : CVE-2024-35239
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')