GHSA-cfr5-7p54-4qg8

Suggest an improvement
Source
https://github.com/advisories/GHSA-cfr5-7p54-4qg8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-cfr5-7p54-4qg8/GHSA-cfr5-7p54-4qg8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cfr5-7p54-4qg8
Aliases
Published
2023-12-13T13:25:38Z
Modified
2024-01-12T16:47:24.383539Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Privilege Escalation using Spoofing
Details

Impact

Users with low privileges ( Editor, etc) are able to access some unintended endpoints.

Explanation of the vulnerability

Possible to delete redirect urls, when disabled by admin with only access to backoffice Possible to access the examine dashboard with only access to backoffice Possible to access the published cache dashboard with only access to backoffice Possible to access the telemetry dashboard with only access to backoffice Possible to access the languages with only access to backoffice Possible to access the stylesheets with only access to backoffice

Database specific
{
    "nvd_published_at": "2023-12-12T19:15:08Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T13:25:38Z"
}
References

Affected packages

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.18.10

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0
Fixed
10.8.1

Affected versions

9.*

9.0.0
9.0.1
9.1.0-rc
9.1.0
9.1.1
9.1.2
9.2.0-rc
9.2.0
9.3.0-rc
9.3.0
9.3.1
9.4.0-rc
9.4.0
9.4.1
9.4.2
9.4.3
9.5.0-rc
9.5.0-rc2
9.5.0-rc3
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4

10.*

10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0-rc4
10.0.0-rc5
10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
10.8.0

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
12.3.4

Affected versions

11.*

11.0.0
11.1.0-rc
11.1.0
11.2.0-rc
11.2.0
11.2.1
11.2.2
11.3.0-rc
11.3.0
11.3.1
11.4.0-rc
11.4.0
11.4.1
11.4.2
11.5.0-rc
11.5.0

12.*

12.0.0-rc1
12.0.0-rc2
12.0.0-rc3
12.0.0-rc4
12.0.0-rc5
12.0.0
12.0.1
12.1.0-rc
12.1.0
12.1.1
12.1.2
12.2.0-rc
12.2.0
12.3.0-rc
12.3.0
12.3.1
12.3.2
12.3.3