Amalie-Woern

**Name of the Vulnerable Software and Affected Versions** Umbraco Engage versions prior to 16.2.1 Umbraco Engage versions prior to 17.1.1 **Description** Umbraco Engage is a business intelligence platform. A security issue exists in Umbraco Engage where certain API endpoints lack proper authentication or authorization checks. These endpoints can be accessed directly over the network without valid user credentials. An attacker can retrieve sensitive data associated with arbitrary records by supplying a user-controlled identifier parameter, such as `id`. The lack of access control allows for enumeration attacks, enabling attackers to extract data at scale. The exposed data may include analytics data, tracking data, and customer-related information. The confidentiality impact is considered high. **Recommendations** Update to Umbraco Engage version 16.2.1. Update to Umbraco Engage version 17.1.1.