Overview
- Description
- Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 8.7
- Impact score
- 5.8
- Exploitability score
- 2.3
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- Severity
- HIGH
Weaknesses
- security-advisories@github.com
- CWE-79
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A6E7FB7D-A5F2-42FF-BB08-B4428D7517E4",
"versionEndExcluding": "14.3.1",
"versionStartIncluding": "14.0.0"
}
],
"operator": "OR"
}
]
}
]