CVE-2024-10761 — XSS/HTML Injection Vulnerability in Umbraco Preview Badge

Description

### Impact Authenticated users are able to exploit an XSS vulnerability when viewing previewed content. ### Patches Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2. ### Workarounds None available.

How to fix CVE-2024-10761

To remediate CVE-2024-10761, upgrade the affected package to a fixed version below.

NuGet/Umbraco.Cms—upgrade to 13.5.3 or later
—upgrade to 13.5.3 or later

Is CVE-2024-10761 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 11.0.0, < 13.5.3
>= 11.0.0, < 13.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-10761
PATCHgithub.com/umbraco/Umbraco-CMS
WEBdrive.google.com/file/d/1YoZgdlS3QT7Xu005j9RO-FFUT8RbB0Da/view?usp=sharing
WEBgithub.com/umbraco/Umbraco-CMS/security/advisories/GHSA-69cg-w8vm-h229