PT-2023-25870 · Umbraco · Umbraco
1K-Off
·
Published
2023-07-13
·
Updated
2023-07-25
·
CVE-2023-37267
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Umbraco versions prior to 10.6.1
Umbraco versions prior to 11.4.2
Umbraco versions prior to 12.0.1
Description
Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level permissions, potentially leading to unauthorized access to the backoffice.
Recommendations
For versions prior to 10.6.1, update to version 10.6.1 or later.
For versions prior to 11.4.2, update to version 11.4.2 or later.
For versions prior to 12.0.1, update to version 12.0.1 or later.
As a temporary workaround, consider enabling the Unattended Install feature to prevent exploitation.
Additionally, enabling IP restrictions to
/install/* and /umbraco/* can limit exposure to allowed IP addresses.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Umbraco