{"id":"CVE-2024-55488","details":"A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. NOTE: This has been disputed by the vendor since this potential attack is only possible via authenticated users who have been manually allowed access to the CMS. There was a deliberate decision made not to apply HTML sanitization at the product level.","modified":"2026-04-10T05:18:35.358715Z","published":"2025-01-22T16:15:29.770Z","references":[{"type":"WEB","url":"http://umbraco.com"},{"type":"EVIDENCE","url":"https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scripting-in-umbraco-rich-text-display/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/umbraco/umbraco-cms","events":[{"introduced":"0"},{"last_affected":"6caf53ed2e62762ae07f2b8a73403f30594b42fa"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"14.3.1"}]}}],"versions":["4.7.2","Release-4.5.2","Release-4.6.0","Sprint-Juno-A","release-10.0.0-rc1","release-11.0.0-rc1","release-14.0.0--preview004","release-14.0.0--preview005","release-14.0.0--preview006","release-14.3.0","release-14.3.0-rc","release-14.3.1","release-6.1.0-beta","release-7.0.0","release-7.0.0-RC","release-7.0.0-beta","release-7.1.0","release-7.1.0-RC","release-7.1.1","release-7.1.2","release-7.1.3","release-7.1.4","release-7.2.0-alpha","release-7.2.0-beta","release-7.2.0-beta2","release-9.0.0","release-9.0.0-beta001","release-9.0.0-beta002","release-9.0.0-beta003","release-9.0.0-beta004","release-9.0.0-rc002","release-9.0.0-rc003","release-9.0.0-rc004","release-netcore-0.5.0-alpha001","release-netcore-alpha002","release-netcore-alpha004","v14.0.0--preview005"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55488.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}