Miggo Logo
Miggo Vulnerability Database
CVE-2017-15279

CVE-2017-15279:
Umbraco CMS vulnerable to stored XSS

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-15279
GHSA ID
GHSA-xj94-rgf9-cq37
EPSS Score
0.41874%
CWE
CWE-79
Published
5/17/2022
Updated
10/24/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
UmbracoCMS.Webnuget< 7.7.37.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing HTML encoding in two key UI rendering flows. The commit fe2b86b explicitly adds Server.HtmlEncode() to both locations:

  1. In Publish.aspx.cs, the page name (doc.Name) was displayed raw during publishing operations
  2. In notifications.aspx.cs, node names (node.Text) were rendered unencoded in admin notifications Both locations directly output user-controlled node names without sanitization, creating stored XSS vectors. The high confidence comes from the clear before/after contrast in the patches and the CWE-79 classification matching the unencoded web output pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in Um*r**o *MS ***or* *.*.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** "p*** n*m*" (*k* no**n*m*) p*r*m*t*r *urin* t** *r**tion o* * n*w p***, r*l*t** to `Um*r**o.W**.UI/um*r**o/*i*

Reasoning

T** vuln*r**ility st*ms *rom missin* *TML *n*o*in* in two k*y UI r*n**rin* *lows. T** *ommit ******* *xpli*itly ***s S*rv*r.*tml*n*o**() to *ot* lo**tions: *. In Pu*lis*.*spx.*s, t** p*** n*m* (*o*.N*m*) w*s *ispl*y** r*w *urin* pu*lis*in* op*r*tions