SecuriTricks - CVE-2024-10761

Description

A vulnerability was found in Umbraco CMS 12.3.6. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor is not able to reproduce the issue.

Product(s) Impacted

Vendor	Product	Versions
Umbraco	Umbraco Cms	12.3.6

Weaknesses

CWE-707

Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	umbraco	umbraco_cms	12.3.6	/	/	/	/	/	/	/

References

https://drive.google.com/file/d/1YoZgdlS3QT7Xu005j9RO-FFUT8RbB0Da/view?usp=sharing

https://vuldb.com/?ctiid.282930

https://vuldb.com/?id.282930

https://vuldb.com/?submit.427091

CVSS Score

3.5 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Date

Published: Nov. 4, 2024, 5:15 a.m.
Last Modified: Nov. 13, 2024, 11:15 a.m.

Status : Modified

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@vuldb.com

CVE-2024-10761