Umbraco Forms HTML Injection Vulnerability in Email Workflow

A vulnerability exists in Umbraco Forms versions 7.0.0 through 15.0.0, excluding the 13.4.2 and 15.1.2 releases. The issue arises in the 'Send email' workflow, which fails to HTML encode user-provided field values in outgoing email messages. This oversight allows forms using this workflow to send messages that appear to come from a trusted source, potentially circumventing spam filters and email client security measures.

Impact

Exploitation of this vulnerability allows for HTML injection in emails sent through the affected workflow, with the potential for more severe consequences depending on the email client's handling of the injected HTML.

Remediation

Users can update to Umbraco Forms versions 13.4.2 or 15.1.2 to address this vulnerability. For unpatched or unsupported versions, the 'Send email with template (Razor)' workflow can be used as an alternative, or a custom workflow type can be created. To prevent the use of the vulnerable workflow in the future, the 'SendEmail' workflow type can be removed using a composer.