CVE-2025-24012
published 2025-01-21CVE-2025-24012: Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.26%
17.0th percentile
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| umbraco-cms | backoffice | >= 14.0.0 < 14.3.2 | 14.3.2 |
| umbraco-cms | backoffice | >= 15.0.0 < 15.1.2 | 15.1.2 |
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco-cms | — | — |
| umbraco | umbraco_cms | >= 14.0.0 < 14.3.2 | 14.3.2 |
| umbraco | umbraco_cms | >= 15.0.0 < 15.1.2 | 15.1.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
ghsa·2025-01-21
CVE-2025-24012 [MEDIUM] CWE-79 XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
### Impact
Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.
### Patches
Will be patched in 14.3.2 and 15.1.2.
Note:
This issue was reported by Pratik Patil from NetSPI @Nexusss-ppatil
OSV
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
osv·2025-01-21
CVE-2025-24012 [MEDIUM] XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
### Impact
Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.
### Patches
Will be patched in 14.3.2 and 15.1.2.
Note:
This issue was reported by Pratik Patil from NetSPI @Nexusss-ppatil
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-21
Published