ghsa-2qrj-g9hq-chph
Vulnerability from github
Published
2025-05-13 20:17
Modified
2025-05-13 20:17
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U
Summary
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
Details

Impact

The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).

Patches

This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.

Workarounds

Unpatched or unsupported versions can workaround this issue by using the 'Send email with template (Razor)' workflow instead or writing a custom workflow type.

To avoid accidentally using the vulnerable workflow again, the SendEmail workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15): ```c# using Umbraco.Cms.Core.Composing; using Umbraco.Forms.Core.Providers.Extensions; using Umbraco.Forms.Core.Providers.WorkflowTypes;

internal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer { public void Compose(IUmbracoBuilder builder) => builder.FormsWorkflows().Exclude(); } ```

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "13.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "last_affected": "8.13.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "15.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:17:36Z",
    "nvd_published_at": "2025-05-13T17:16:04Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe \u0027Send email\u0027 workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).\n\n### Patches\nThis issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.\n\n### Workarounds\nUnpatched or unsupported versions can workaround this issue by using the \u0027Send email with template (Razor)\u0027 workflow instead or [writing a custom workflow type](https://docs.umbraco.com/umbraco-forms/developer/extending/adding-a-workflowtype).\n\nTo avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15):\n```c#\nusing Umbraco.Cms.Core.Composing;\nusing Umbraco.Forms.Core.Providers.Extensions;\nusing Umbraco.Forms.Core.Providers.WorkflowTypes;\n\ninternal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer\n{\n    public void Compose(IUmbracoBuilder builder)\n        =\u003e builder.FormsWorkflows().Exclude\u003cSendEmail\u003e();\n}\n```",
  "id": "GHSA-2qrj-g9hq-chph",
  "modified": "2025-05-13T20:17:36Z",
  "published": "2025-05-13T20:17:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47280"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Umbraco.Forms has HTML injection vulnerability in \u0027Send email\u0027 workflow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.