Roie-Shmuel

**Name of the Vulnerable Software and Affected Versions** Umbraco versions 8.0.0 through 8.18.9 Umbraco versions 8.18.10 is not affected, but versions prior to 10.7.0 are affected Umbraco versions prior to 10.7.0 Umbraco versions prior to 12.3.0 can be simplified to: Umbraco versions 8.0.0 through 8.18.9 Umbraco versions prior to 10.7.0 Umbraco versions prior to 12.3.0 However, since versions prior to 10.7.0 and 12.3.0 already include the range 8.0.0 through 8.18.9, the final version is: Umbraco versions prior to 8.18.10 Umbraco versions prior to 10.7.0 Umbraco versions prior to 12.3.0 **Description** The issue allows Backoffice users with send for approval permission but not publish permission to publish in some scenarios. This is possible because users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the "Send for Approval" request. **Recommendations** For Umbraco versions prior to 8.18.10, update to version 8.18.10 or later. For Umbraco versions prior to 10.7.0, update to version 10.7.0 or later. For Umbraco versions prior to 12.3.0, update to version 12.3.0 or later.