PT-2020-17166 · Umbraco · Umbraco

Published

2020-12-02

Updated

2021-07-21

CVE-2020-29454

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Umbraco versions through 8.9.1

Description The issue allows a user to access a log viewer endpoint without having the necessary Applications.Settings access. This is due to a problem in the Editors/LogViewerController.cs file.

Recommendations For Umbraco versions through 8.9.1, consider restricting access to the log viewer endpoint until a fix is available. As a temporary workaround, review and adjust the access controls for the Applications.Settings to ensure that only authorized users can access the log viewer.

Fix

Incorrect Authorization

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-732

Related Identifiers

CVE-2020-29454

GHSA-4VP3-VFWW-8648

Affected Products

Umbraco

PT-2020-17166 · Umbraco · Umbraco

CVE-2020-29454

Weakness Enumeration

Related Identifiers

Affected Products

References · 5