Описание
Umbraco Workflow's Backoffice users can execute arbitrary SQL
Impact
Backoffice users can execute arbitrary SQL.
Explanation of the vulnerability
A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.
Affected versions
All versions
Patches
Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2
References
Пакеты
Umbraco.Workflow
< 10.3.9
10.3.9
Umbraco.Workflow
>= 11.0.0-rc1, < 12.2.6
12.2.6
Umbraco.Workflow
>= 13.0.0-rc1, < 13.0.6
13.0.6
Plumber.Workflow
< 10.1.2
10.1.2
Связанные уязвимости
Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.