CSP-CERT® Resources:
CVE-2018-17256: Persistent Cross-Site Scripting on Umbraco CMS

by Roman Canlas
posted November 2018

Umbraco CMS 7.12.3 and possibly versions before are vulnerable to persistent cross-site scripting through the “Header Name” of a content. This allows authenticated users to inject arbitrary web script that could be executed in a later time because it is stored in the system. This is due to unsanitized data being saved through the said field.

Vulnerability Information

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Umbraco CMS 7.12.3 and possibly versions before are vulnerable to a type 2 XSS (Stored Cross-site Scripting). The data entered in the “Header Name” field is not sanitized leading to arbitrary web scripts getting executed upon data presentation. This however, is only accessible to a logged-in administrator level user which lessens the risk of the vulnerability.


Authenticated administrators may inject arbitrary web scripts leading to execution on clients visiting the web page.


The Umbraco development team has committed a fix in the official GitHub repository. This is referenced with commit aaa920719f5ae5ef16d75034ebb9870f696c2b46 (URL in references).

Vendor Information

  • Vendor: UmbracoCMS
  • Date Notified (Advisory Request from Discoverer): November 15, 2018
  • Public Disclose: November 16, 2018


We would like to thank Roman Canlas for coordinating with CSPCERT for the CVE assignment and advisory.