Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Umbraco.Workflow.Issues by umbraco
CVE-2024-32872 (GCVE-0-2024-32872)
Vulnerability from cvelistv5 – Published: 2024-04-24 14:46 – Updated: 2024-08-02 02:20
VLAI
Title
Umbraco Workflow's Backoffice users can execute arbitrary SQL
Summary
Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Workflow.Issue… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Workflow.Issues |
Affected:
< 10.3.9
Affected: >= 11.0.0-rc1, < 12.2.6 Affected: >= 13.0.0-rc1, < 13.0.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T17:17:40.848568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T18:23:57.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Workflow.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003c 10.3.9"
},
{
"status": "affected",
"version": "\u003e= 11.0.0-rc1, \u003c 12.2.6"
},
{
"status": "affected",
"version": "\u003e= 13.0.0-rc1, \u003c 13.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-24T14:46:28.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh"
}
],
"source": {
"advisory": "GHSA-287f-46j7-j4wh",
"discovery": "UNKNOWN"
},
"title": "Umbraco Workflow\u0027s Backoffice users can execute arbitrary SQL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32872",
"datePublished": "2024-04-24T14:46:28.239Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-02T02:20:35.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32872 (GCVE-0-2024-32872)
Vulnerability from nvd – Published: 2024-04-24 14:46 – Updated: 2024-08-02 02:20
VLAI
Title
Umbraco Workflow's Backoffice users can execute arbitrary SQL
Summary
Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/umbraco/Umbraco.Workflow.Issue… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| umbraco | Umbraco.Workflow.Issues |
Affected:
< 10.3.9
Affected: >= 11.0.0-rc1, < 12.2.6 Affected: >= 13.0.0-rc1, < 13.0.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T17:17:40.848568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T18:23:57.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Umbraco.Workflow.Issues",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003c 10.3.9"
},
{
"status": "affected",
"version": "\u003e= 11.0.0-rc1, \u003c 12.2.6"
},
{
"status": "affected",
"version": "\u003e= 13.0.0-rc1, \u003c 13.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-24T14:46:28.239Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh"
}
],
"source": {
"advisory": "GHSA-287f-46j7-j4wh",
"discovery": "UNKNOWN"
},
"title": "Umbraco Workflow\u0027s Backoffice users can execute arbitrary SQL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32872",
"datePublished": "2024-04-24T14:46:28.239Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-02T02:20:35.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}