Listen to this Post
How the CVE Works:
The vulnerability in Umbraco.Forms arises from insufficient input sanitization in the “Send email” workflow. When user-supplied form field values are included in email messages, they are not properly HTML-encoded. This allows an attacker to inject arbitrary HTML or JavaScript into the email body. Since the email originates from a trusted system, malicious content may bypass spam filters and client-side security mechanisms, potentially leading to phishing or cross-site scripting (XSS) attacks when viewed in email clients that render HTML.
The exploit requires an attacker to submit a form with crafted input fields containing HTML/script payloads. If the form administrator uses the vulnerable workflow, the malicious content is delivered via email, appearing as if sent from a legitimate source. While the impact is limited to email-based attacks (not persistent web XSS), it can still facilitate social engineering or further exploitation.
DailyCVE Form:
Platform: Umbraco.Forms
Version: <13.4.2, <15.1.2
Vulnerability: HTML Injection
Severity: Low
Date: May 13, 2025
What Undercode Say:
Exploitation:
1. Craft a malicious form submission:
<input type="text" name="field1" value="<script>alert('XSS')</script>">
2. Submit to a vulnerable Umbraco.Forms instance.
3. Admin receives email with unencoded HTML.
Detection:
Check workflow configurations:
var workflows = WorkflowService.GetAll();
foreach (var wf in workflows.Where(w => w.Alias == "SendEmail"))
Log.Warn("Vulnerable workflow detected: " + wf.Name);
Mitigation:
1. Patch: Upgrade to Umbraco.Forms 13.4.2 or 15.1.2.
2. Workaround: Replace with Razor template workflow:
services.RemoveAll<SendEmailWorkflow>();
3. Sanitize manually (if unpatched):
public string SanitizeEmailContent(string input) => HttpUtility.HtmlEncode(input);
Analytics:
- Attack Vector: Email-based HTML injection.
- Prerequisites: Form submission + “Send email” workflow.
- Risk: Low (no direct server compromise).
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
