-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsafe HTML rendering in the TitleAndDescription field type. The patch introduces TitleAndDescription:AllowUnsafeHtmlRendering configuration to control this behavior, indicating the rendering logic previously lacked proper sanitization by default. The field's description content (user-controllable input) was rendered without sufficient escaping in vulnerable versions, enabling XSS when edited by authenticated users. While exact function names aren't provided in documentation, the configuration change and CWE-79 context strongly implicate the TitleAndDescription field rendering component.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Umbraco.Forms | nuget | >= 13.0.0, < 13.0.1 | 13.0.1 |
| Umbraco.Forms | nuget | >= 12.0.0, < 12.2.2 | 12.2.2 |
| Umbraco.Forms | nuget | >= 10.0.0, < 10.5.3 | 10.5.3 |
| Umbraco.Forms | nuget | >= 8.0.0, < 8.13.13 | 8.13.13 |
A Semantic Attack on Google Gemini - Read the Latest Research