Access Control Bypass Affecting umbraco.cms package, versions [9.0.0,10.6.1)[11.0.0,11.4.2)[12.0.0,12.0.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.6% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-UMBRACOCMS-5775820
  • published14 Jul 2023
  • disclosed13 Jul 2023
  • credit1k-off

Introduced: 13 Jul 2023

CVE-2023-37267  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade Umbraco.Cms to version 10.6.1, 11.4.2, 12.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Access Control Bypass. Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level permissions.

Workaround

  1. Enabling the Unattended Install feature will mean the vulnerability is not exploitable.

  2. Enabling IP restrictions to */install/* and */umbraco/* will limit the exposure to allowed IP addresses.

CVSS Base Scores

version 3.1