Description
Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- high
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- none
- Availability
- none
- Weaknesses
- CWE-79
Metadata
- Primary Vendor
- UMBRACO
- Published
- 5/28/2024
- Last Modified
- 1/5/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
umbraco : umbraco_formsumbraco : umbraco_formsumbraco : umbraco_formsumbraco : umbraco_forms
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.