CVE-2024-47819

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability affecting versions starting from 14.0.0 and prior to versions 14.3.1 and 15.0.0. This vulnerability is present in the Dictionary section of the CMS.

Impact

This cross-site scripting vulnerability can be leveraged to gain access to higher-privilege endpoints. If an attacker can get a user with admin privileges to run malicious code, they could potentially elevate all users' privileges, granting them admin access or allowing them to access protected content. This represents a significant risk to the confidentiality and integrity of the system, as it could lead to unauthorized access to sensitive information and system-wide privilege escalation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Versions 14.3.1 and 15.0.0 of Umbraco contain the fix for this vulnerability. Users should upgrade to these patched versions to mitigate the risk.

Mitigation

As an immediate workaround, ensure that access to the Dictionary section is only granted to trusted users. For a permanent solution, upgrade Umbraco to version 14.3.1 or 15.0.0, which contain the patch for this vulnerability. It's crucial to prioritize this update, especially for instances where the Dictionary section is accessible to non-trusted users or where there are users with admin privileges who might inadvertently trigger the exploit.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 22, 2024 at 8:03 AM
CVE Assignment

NVD published the first details for CVE-2024-47819

Oct 22, 2024 at 4:15 PM
CVSS

A CVSS base score of 4.2 has been assigned.

Oct 22, 2024 at 4:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47819. See article

Oct 22, 2024 at 4:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 22, 2024 at 4:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 23, 2024 at 10:38 AM
Static CVE Timeline Graph

Affected Systems

Umbraco/umbraco_cms
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-c5g6-6xf7-qxp3] Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Package: @umbraco-cms/backoffice Package Information

News

CVE Alert: CVE-2024-47819 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-47819/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_47819
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.
CVE-2024-47819
High Severity Description Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users. Read more at https://www.tenable.com/cve/CVE-2024-47819
NA - CVE-2024-47819 - Umbraco, a free and open source .NET content...
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to...
[GHSA-c5g6-6xf7-qxp3] Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Package: @umbraco-cms/backoffice Package Information
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI