Andy Butland

**Name of the Vulnerable Software and Affected Versions** Umbraco versions 13.0.0 through 13.9.2 Umbraco versions 15.0.0 through 15.4.1 Umbraco versions 16.0.0 through 16.1.0 **Description** Umbraco’s [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted to require an API key in a header for authorization. Output caching can also be configured to improve performance. A flaw exists when both features are enabled concurrently, as caching does not differentiate requests based on the API key header. This allows an unauthorized user to retrieve cached responses for a specific path and query if a request with a valid key was recently made. **Recommendations** Umbraco versions 13.0.0 through 13.9.2: Upgrade to version 13.9.3 or later. Umbraco versions 15.0.0 through 15.4.1: Upgrade to version 15.4.4 or later. Umbraco versions 16.0.0 through 16.1.0: Upgrade to version 16.1.1 or later. As a workaround, remove or reduce the output caching time period. As a workaround, implement additional restrictions to access the delivery API, such as by IP address.

Name of the Vulnerable Software and Affected Versions: Umbraco versions prior to 15.2.3 Umbraco versions prior to 14.3.3 Description: An improper API access control issue has been identified in Umbraco's API management package, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. Recommendations: For versions prior to 15.2.3, update to version 15.2.3 or later. For versions prior to 14.3.3, update to version 14.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** Umbraco versions 14.0.0 through 14.3.1 Umbraco versions 15.0.0 through 15.1.1 **Description** The issue allows an attacker to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. **Recommendations** For Umbraco versions 14.0.0 through 14.3.1, update to version 14.3.2 to resolve the issue. For Umbraco versions 15.0.0 through 15.1.1, update to version 15.1.2 to resolve the issue.