ghsa-cfr5-7p54-4qg8
Vulnerability from github
Published
2023-12-13 13:25
Modified
2024-01-12 16:29
Severity ?
Summary
Privilege Escalation using Spoofing
Details
Impact
Users with low privileges ( Editor, etc) are able to access some unintended endpoints.
Explanation of the vulnerability
Possible to delete redirect urls, when disabled by admin with only access to backoffice Possible to access the examine dashboard with only access to backoffice Possible to access the published cache dashboard with only access to backoffice Possible to access the telemetry dashboard with only access to backoffice Possible to access the languages with only access to backoffice Possible to access the stylesheets with only access to backoffice
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.CMS"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.18.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.CMS"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "10.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.CMS"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "12.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49273"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-13T13:25:38Z",
"nvd_published_at": "2023-12-12T19:15:08Z",
"severity": "MODERATE"
},
"details": "#### Impact\nUsers with low privileges ( Editor, etc) are able to access some unintended endpoints.\n\n#### Explanation of the vulnerability \nPossible to delete redirect urls, when disabled by admin with only access to backoffice\nPossible to access the examine dashboard with only access to backoffice\nPossible to access the published cache dashboard with only access to backoffice\nPossible to access the telemetry dashboard with only access to backoffice\nPossible to access the languages with only access to backoffice\nPossible to access the stylesheets with only access to backoffice",
"id": "GHSA-cfr5-7p54-4qg8",
"modified": "2024-01-12T16:29:13Z",
"published": "2023-12-13T13:25:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-cfr5-7p54-4qg8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49273"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Privilege Escalation using Spoofing"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.