GHSA-2QRJ-G9HQ-CHPH

Vulnerability from github – Published: 2025-05-13 20:17 – Updated: 2025-05-13 20:17
VLAI?
Summary
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
Details

Impact

The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).

Patches

This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.

Workarounds

Unpatched or unsupported versions can workaround this issue by using the 'Send email with template (Razor)' workflow instead or writing a custom workflow type.

To avoid accidentally using the vulnerable workflow again, the SendEmail workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15):

using Umbraco.Cms.Core.Composing;
using Umbraco.Forms.Core.Providers.Extensions;
using Umbraco.Forms.Core.Providers.WorkflowTypes;

internal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
        => builder.FormsWorkflows().Exclude<SendEmail>();
}
Severity ?
0.0 (None)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "13.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "last_affected": "8.13.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "15.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:17:36Z",
    "nvd_published_at": "2025-05-13T17:16:04Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe \u0027Send email\u0027 workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address (potentially bypassing spam and email client security systems).\n\n### Patches\nThis issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2.\n\n### Workarounds\nUnpatched or unsupported versions can workaround this issue by using the \u0027Send email with template (Razor)\u0027 workflow instead or [writing a custom workflow type](https://docs.umbraco.com/umbraco-forms/developer/extending/adding-a-workflowtype).\n\nTo avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using the following composer (tested on Umbraco 10, 13, 14 and 15):\n```c#\nusing Umbraco.Cms.Core.Composing;\nusing Umbraco.Forms.Core.Providers.Extensions;\nusing Umbraco.Forms.Core.Providers.WorkflowTypes;\n\ninternal sealed class RemoveFormsSendEmailWorkflowTypeComposer : IComposer\n{\n    public void Compose(IUmbracoBuilder builder)\n        =\u003e builder.FormsWorkflows().Exclude\u003cSendEmail\u003e();\n}\n```",
  "id": "GHSA-2qrj-g9hq-chph",
  "modified": "2025-05-13T20:17:36Z",
  "published": "2025-05-13T20:17:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-2qrj-g9hq-chph"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47280"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Umbraco.Forms has HTML injection vulnerability in \u0027Send email\u0027 workflow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.