Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-287f-46j7-j4wh: Umbraco Workflow's Backoffice users can execute arbitrary SQL

Impact

Backoffice users can execute arbitrary SQL.

Explanation of the vulnerability

A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.

Affected versions

All versions

Patches

Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2

References

Upgrading Umbraco Workflow

ghsa
#sql#vulnerability#git

Package

nuget Plumber.Workflow (NuGet)

Affected versions

< 10.1.2

Patched versions

10.1.2

nuget Umbraco.Workflow (NuGet)

< 10.3.9

>= 11.0.0-rc1, < 12.2.6

>= 13.0.0-rc1, < 13.0.6

10.3.9

12.2.6

13.0.6

Description

Impact

Backoffice users can execute arbitrary SQL.

Explanation of the vulnerability

A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.

Affected versions

All versions

Patches

Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2

References

Upgrading Umbraco Workflow

References

  • GHSA-287f-46j7-j4wh
  • https://nvd.nist.gov/vuln/detail/CVE-2024-32872

netcamo published to umbraco/Umbraco.Workflow.Issues

Apr 24, 2024

Published by the National Vulnerability Database

Apr 24, 2024

Published to the GitHub Advisory Database

Apr 24, 2024

Reviewed

Apr 24, 2024

Last updated

Apr 24, 2024

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution