Improper Encoding or Escaping of Output

Summary

Umbraco Forms is a form builder that integrates with the Umbraco content management system. The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This vulnerability affects UmbracoForms package versions 7.0.0 and after, and Umbraco.Forms package versions 7.0.0 through 13.4.1, and 14.0.0-beta001 through 15.1.1. Umbraco.Forms patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can work around this issue by using the `Send email with template (Razor)` workflow instead of writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability.