Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

GHSA-h8wc-r4jh-mg7m · CVE-2023-37267

Published Jul 13, 2023 · Modified Feb 16, 2024

Description

Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level permissions.

Impact

An unauthorized user gaining admin-level access and permissions to the backoffice.

Patches

10.6.1, 11.4.2, 12.0.1

Workarounds

Enabling the Unattended Install feature will mean the vulnerability is not exploitable.
Enabling IP restrictions to */install/* and */umbraco/* will limit the exposure to allowed IP addresses.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Packages

NuGet/Umbraco.Cms.Infrastructure

Fix 10.6.1, 11.4.2, 12.0.1

Introduced 11.0.0, 12.0.0, 9.0.0

61 affected versions

10.0.010.0.0-rc510.0.110.1.010.1.0-rc10.1.0-rc210.1.110.2.010.2.0-rc10.2.110.3.010.3.0-rc10.3.110.3.210.4.010.4.0-rc10.4.110.4.210.5.010.5.0-rc +41 more

NuGet/Umbraco.Cms.Web.BackOffice

Fix 10.6.1, 11.4.2, 12.0.1

Introduced 11.0.0, 12.0.0, 9.0.0

65 affected versions

10.0.010.0.0-rc110.0.0-rc210.0.0-rc310.0.0-rc410.0.0-rc510.0.110.1.010.1.0-rc10.1.0-rc210.1.110.2.010.2.0-rc10.2.110.3.010.3.0-rc10.3.110.3.210.4.010.4.0-rc +45 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes