Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-55488

Good to know:

icon
icon

Date: January 21, 2025

A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.

Severity Score

Related Resources (9)

https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display/
https://nvd.nist.gov/vuln/detail/CVE-2024-55488
https://github.com/umbraco/Umbraco-CMS
http://umbraco.com
https://github.com/umbraco/Umbraco-CMS/releases/tag/release-15.0.0-rc1
https://github.com/github/advisory-database/pull/5270
https://github.com/umbraco/Umbraco-CMS/pull/17164
https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display
https://www.mend.io/vulnerability-database/CVE-2024-55488

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version Umbraco.Cms.Infrastructure - 13.7.0-rc;Umbraco.Cms.Infrastructure - 14.3.2;Umbraco.Cms.Infrastructure - 10.8.9;TSC.Client.Umbraco - 2.0.1;OzoneNZ.Umbraco.Cms.Infrastructure - no_fix;uSync.Cli - 15.0.0-beta1;ClerkIoConnector - 10.0.1;Umble.Construct - no_fix

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us