GHSA-cfr5-7p54-4qg8

Опубликовано: 13 дек. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Privilege Escalation using Spoofing

Impact

Users with low privileges ( Editor, etc) are able to access some unintended endpoints.

Explanation of the vulnerability

Possible to delete redirect urls, when disabled by admin with only access to backoffice Possible to access the examine dashboard with only access to backoffice Possible to access the published cache dashboard with only access to backoffice Possible to access the telemetry dashboard with only access to backoffice Possible to access the languages with only access to backoffice Possible to access the stylesheets with only access to backoffice

Ссылки

Пакеты

Наименование

Umbraco.CMS

nuget

Затронутые версииВерсия исправления

>= 8.0.0, < 8.18.10

8.18.10

Наименование

Umbraco.CMS

nuget

Затронутые версииВерсия исправления

>= 9.0.0, < 10.8.1

10.8.1

Наименование

Umbraco.CMS

nuget

Затронутые версииВерсия исправления

>= 11.0.0, < 12.3.4

12.3.4

EPSS

Процентиль: 50%

0.00264

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-49273

Дефекты

CWE-863

Связанные уязвимости

CVE-2023-49273

CVSS3: 5.4

nvd

около 2 лет назад

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

EPSS

Процентиль: 50%

0.00264

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-49273

Дефекты

CWE-863