Name of the Vulnerable Software and Affected Versions:

Umbraco versions 13.0.0 through 13.9.2

Umbraco versions 15.0.0 through 15.4.1

Umbraco versions 16.0.0 through 16.1.0

Description:

Umbraco’s [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted to require an API key in a header for authorization. Output caching can also be configured to improve performance. A flaw exists when both features are enabled concurrently, as caching does not differentiate requests based on the API key header. This allows an unauthorized user to retrieve cached responses for a specific path and query if a request with a valid key was recently made.

Recommendations:

Umbraco versions 13.0.0 through 13.9.2: Upgrade to version 13.9.3 or later.

Umbraco versions 15.0.0 through 15.4.1: Upgrade to version 15.4.4 or later.

Umbraco versions 16.0.0 through 16.1.0: Upgrade to version 16.1.1 or later.

As a workaround, remove or reduce the output caching time period.

As a workaround, implement additional restrictions to access the delivery API, such as by IP address.