CVE-2021-47776

Name of the Vulnerable Software and Affected Versions Umbraco CMS version 8.14.1

Description The software contains a server-side request forgery issue that allows attackers to manipulate baseUrl parameters. This manipulation can occur in several controller endpoints, including the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints. Successful exploitation enables attackers to initiate unauthorized server-side requests to external hosts. The affected API endpoints are: '/umbraco/api/dashboard/help/page', '/umbraco/api/dashboard/content', and '/umbraco/api/dashboard/css'.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the GetContextHelpForPage(), GetRemoteDashboardContent(), and GetRemoteDashboardCss() functions.