CVE-2024-47819
published 2024-10-22CVE-2024-47819: Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions…
PriorityP343high8.7CVSS 3.1
AVNACLPRLUIRSCCHIHAN
EPSS
0.33%
24.3th percentile
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco-cms | backoffice | >= 14.0.0 < 14.3.1 | 14.3.1 |
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | >= 14.0.0 < 14.3.1 | 14.3.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
ghsa·2024-10-22
CVE-2024-47819 [MEDIUM] CWE-79 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
### Impact
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.
### Patches
Will be patched in 14.3.1 and 15.0.0.
### Workarounds
Ensure that access to the Dictionary section is only granted to trusted users.
OSV
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
osv·2024-10-22
CVE-2024-47819 [MEDIUM] Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
### Impact
This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content.
### Patches
Will be patched in 14.3.1 and 15.0.0.
### Workarounds
Ensure that access to the Dictionary section is only granted to trusted users.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-22
Published