GSD-2022-22690
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Within the Umbraco CMS, a configuration element named "UmbracoApplicationUrl" (or just "ApplicationUrl") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the "UmbracoApplicationUrl" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-22690",
"description": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.",
"id": "GSD-2022-22690"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-22690"
],
"details": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.",
"id": "GSD-2022-22690",
"modified": "2023-12-13T01:19:29.337104Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "info@appcheck-ng.com",
"DATE_PUBLIC": "2022-01-18T14:26:00.000Z",
"ID": "CVE-2022-22690",
"STATE": "PUBLIC",
"TITLE": "Umbraco Remote ApplicationURL Overwrite"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Umbraco CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.2.0"
}
]
}
}
]
},
"vendor_name": "Umbraco"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "AppCheck Ltd"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unauthorised runtime configuration manipulation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/",
"refsource": "MISC",
"url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,9.2.0)",
"affected_versions": "All versions before 9.2.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-01-21",
"description": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.",
"fixed_versions": [
"9.2.0"
],
"identifier": "CVE-2022-22690",
"identifiers": [
"GHSA-jrmq-rv9w-63rv",
"CVE-2022-22690"
],
"not_impacted": "All versions starting from 9.2.0",
"package_slug": "nuget/Umbraco.Cms.Core",
"pubdate": "2022-01-21",
"solution": "Upgrade to version 9.2.0 or above.",
"title": "Umbraco ApplicationURL Overwrite",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-22690",
"https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/",
"https://github.com/advisories/GHSA-jrmq-rv9w-63rv"
],
"uuid": "3f640d41-1277-40b9-94fe-28455a79ac4b"
},
{
"affected_range": "(,9.2.0)",
"affected_versions": "All versions before 9.2.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-444",
"CWE-937"
],
"date": "2022-01-26",
"description": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.",
"fixed_versions": [
"9.2.0"
],
"identifier": "CVE-2022-22690",
"identifiers": [
"CVE-2022-22690"
],
"not_impacted": "",
"package_slug": "nuget/UmbracoCms",
"pubdate": "2022-01-18",
"solution": "Upgrade to version 9.2.0 or above.",
"title": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-22690",
"https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/"
],
"uuid": "14eb5208-dec6-45ef-8d3c-4ba15c8537c2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "info@appcheck-ng.com",
"ID": "CVE-2022-22690"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (or just \"ApplicationUrl\") is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password and the application builds a password reset URL or when the administrator invites users to the site. For Umbraco versions less than 9.2.0, if the Application URL is not specifically configured, the attacker can manipulate this value and store it persistently affecting all users for components where the \"UmbracoApplicationUrl\" is used. For example, the attacker is able to change the URL users receive when resetting their password so that it points to the attackers server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/",
"refsource": "MISC",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-01-26T17:03Z",
"publishedDate": "2022-01-18T17:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…