Listen to this Post
The vulnerability exists because the confirmation dialog in the Umbraco backoffice fails to properly encode user-supplied input before rendering it. An authenticated user can inject arbitrary HTML or JavaScript code into a vulnerable input field. When an action triggers the confirmation dialog, the malicious payload is executed within the context of the victim’s browser. For example, an attacker could craft a payload like `` which, when rendered, would execute the JavaScript. This occurs because the application uses the `content` property of the confirmation dialog to display the unvalidated input directly. The root cause is the absence of output encoding in the `umbOpenModal` or `umbConfirmModal` functions. The issue is fixed in Umbraco CMS version 17.4.0.
DailyCVE Form: Platform: Umbraco CMS Version: 17.0.0-17.3.x Vulnerability: XSS/HTML Injection Severity: Moderate Date: May 21, 2026 Prediction: Already patched in 17.4.0
Analytics under What Undercode Say:
This attack vector highlights a common failure in handling dynamic content within client-side frameworks. The unescaped reflection of data into a modal’s DOM tree is a classic XSS primitive. The vulnerability does not require any special privileges beyond standard backoffice access, making it a high-likelihood attack path. A Content Security Policy (CSP) would have mitigated the impact of JavaScript execution but not the underlying injection issue. The fix in 17.4.0 implements proper HTML encoding for all user-provided strings passed to the confirmation dialog component.
Showing bash commands and codes related to the blog
Check current Umbraco version dotnet run --project MyUmbracoProject/MyUmbracoProject.csproj --info | grep "Version" Upgrade Umbraco CMS to patched version dotnet add MyUmbracoProject package Umbraco.Cms --version 17.4.0 Scan for vulnerable versions using NuGet vulnerability scanner dotnet list package --vulnerable --include-transitive
// Vulnerable code example (conceptual illustration)
var dialogData = new UmbConfirmModalData
{
Content = userInput, // Directly passed without encoding
Headline = "Confirmation"
};
umbOpenModal(this, UMB_CONFIRM_MODAL, dialogData);
// Patched version with output encoding
var encodedInput = System.Text.Encodings.Web.HtmlEncoder.Default.Encode(userInput);
var dialogDataSafe = new UmbConfirmModalData
{
Content = encodedInput,
Headline = "Confirmation"
};
Exploit:
An attacker, logged into the Umbraco backoffice, identifies an input field where the value is later displayed in a confirmation dialog. They can inject a payload like:
`
`
or for persistent impact:
``
When another user with higher privileges (like an administrator) triggers the vulnerable action that renders this input in a confirmation dialog, the script executes in their browser. This could lead to session hijacking, privilege escalation, or the defacement of the backoffice interface.
Protection from this CVE:
Upgrade: Immediately update to Umbraco CMS version 17.4.0 or later.
Input Validation & Output Encoding: Ensure all user-supplied data rendered in the backoffice is properly encoded. For the confirmation dialog, the `content` property must be treated as text, not HTML.
Content Security Policy: Deploy a strict CSP to limit the execution of arbitrary scripts, even if an injection occurs. For example, a policy that disallows `unsafe-inline` and restricts script sources to trusted domains.
Least Privilege: Restrict the number of users with backoffice access and regularly audit their permissions.
Impact:
Successful exploitation allows an authenticated attacker to execute arbitrary HTML and script code in the context of a victim’s backoffice session. This can lead to several severe outcomes:
Session Theft: An attacker could steal the session cookie of an administrator, leading to full account takeover.
Privilege Escalation: By executing code in an administrator’s session, the attacker could perform actions on their behalf, such as creating new administrative users or modifying system settings.
Data Theft: Sensitive information displayed in the backoffice could be extracted.
Defacement: The attacker could modify the visual appearance of the backoffice, misleading users or disrupting operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

