CVE-2024-35240

May 28, 2024, 9:16 p.m.

5.4
Medium

Description

Umbraco Commerce is an open source dotnet ecommerce solution. In affected versions there exists a stored Cross-site scripting (XSS) issue which would enable attackers to inject malicious code into Print Functionality. This issue has been addressed in versions 12.1.4, and 10.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
Umbraco Commerce
  • 12.1.4
  • 10.0.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://docs.umbraco.com/umbraco-commerce/release-notes#id-13.0.0-december-13th-2023
https://github.com/umbraco/Umbraco.Commerce.Issues/security/advisories/GHSA-rpj9-xjwm-wr6w

Tags

security-advisories@github.com
CWE-79
2024-05-28
CVE-2024-35240

CVSS Score

5.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: May 28, 2024, 9:16 p.m.
Last Modified: May 28, 2024, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.