Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h8wc-r4jh-mg7m: Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level permissions.

Impact

An unauthorized user gaining admin-level access and permissions to the backoffice.

Patches

10.6.1, 11.4.2, 12.0.1

Workarounds

  • Enabling the Unattended Install feature will mean the vulnerability is not exploitable.
  • Enabling IP restrictions to */install/* and */umbraco/* will limit the exposure to allowed IP addresses.
ghsa
#vulnerability#web#git#auth

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-37267

Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

High severity GitHub Reviewed Published Jul 13, 2023 in umbraco/Umbraco-CMS • Updated Jul 13, 2023

Package

nuget Umbraco.Cms.Infrastructure (NuGet)

Affected versions

>= 9.0.0, < 10.6.1

>= 11.0.0, < 11.4.2

= 12.0.0

Patched versions

10.6.1

11.4.2

12.0.1

nuget Umbraco.Cms.Web.BackOffice (NuGet)

>= 9.0.0, < 10.6.1

>= 11.0.0, < 11.4.2

= 12.0.0

Description

Published to the GitHub Advisory Database

Jul 13, 2023

Last updated

Jul 13, 2023

Related news

CVE-2023-37267: Possible admin-level access to backoffice without authentication under rare conditions

Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP