gsd - gsd-2023-48227

gsd-2023-48227

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.

Aliases

CVE-2023-48227

Aliases

CVE-2023-48227

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-48227",
    "id": "GSD-2023-48227"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-48227"
      ],
      "details": "Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available.",
      "id": "GSD-2023-48227",
      "modified": "2023-12-13T01:20:39.388732Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-48227",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Umbraco-CMS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 8.0.0, \u003c 8.18.10"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 9.0.0-rc001, \u003c 10.7.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 11.0.0-rc1, \u003c 12.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "umbraco"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2",
            "refsource": "MISC",
            "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-335x-5wcm-8jv2",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FAFFD03D-00A2-4AA4-A727-FA10CFC1446F",
                    "versionEndExcluding": "8.18.10",
                    "versionStartIncluding": "8.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CC51790C-3B57-4147-B030-A03396838BDE",
                    "versionEndExcluding": "10.7.0",
                    "versionStartIncluding": "9.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8CB794A3-A6F2-4813-9EC7-1DDA2863C598",
                    "versionEndExcluding": "12.3.0",
                    "versionStartIncluding": "11.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.3.0, Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. Versions 8.18.10, 10.7.0, and 12.3.0 contains a patch for this issue. No known workarounds are available."
          },
          {
            "lang": "es",
            "value": "Umbraco es un sistema de gesti\u00f3n de contenidos (CMS) ASP.NET. A partir de la versi\u00f3n 8.0.0 y anteriores a las versiones 8.18.10, 10.7.0 y 12.3.0, los usuarios de Backoffice con permiso de env\u00edo para aprobaci\u00f3n pero sin permiso de publicaci\u00f3n pueden publicar en algunos escenarios. Las versiones 8.18.10, 10.7.0 y 12.3.0 contienen un parche para este problema. No hay workarounds disponibles."
          }
        ],
        "id": "CVE-2023-48227",
        "lastModified": "2023-12-15T14:07:29.693",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-12T17:15:08.143",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "URL Repurposed"
            ],
            "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

cve-2023-48227

Vulnerability from cvelistv5

Published

2023-12-12 17:12

Modified

2024-08-28 14:47

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

Umbraco CMS Backoffice User can bypass "Publish" restriction

References

▼	URL	Tags
	https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	umbraco	Umbraco-CMS

Show details on NVD website