Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NHA2LTM5ZjItMjN2M84AA7I7
Blind SSRF Leads to Port Scan by using Webhooks
Impact
Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical.
Affected Versions
Umbraco versions 13.0.0 - 13.1.1
Patches
13.1.1
Workarounds
Disabling webhooks functionality.
Permalink: https://github.com/advisories/GHSA-74p6-39f2-23v3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NHA2LTM5ZjItMjN2M84AA7I7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 4.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Identifiers: GHSA-74p6-39f2-23v3, CVE-2024-29035
References:
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-74p6-39f2-23v3
- https://nvd.nist.gov/vuln/detail/CVE-2024-29035
- https://github.com/umbraco/Umbraco-CMS/commit/6b8067815c02ae43161966a8075a3585e1bc4de0
- https://github.com/advisories/GHSA-74p6-39f2-23v3
Blast Radius: 1.0
Affected Packages
nuget:Umbraco.Cms.Web.BackOffice
Dependent packages: 0Dependent repositories: 0
Downloads: 7,525,683 total
Affected Version Ranges: >= 13.0.0, < 13.1.1
Fixed in: 13.1.1
All affected versions: 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 13.1.1, 13.2.0, 13.2.1, 13.2.2
nuget:Umbraco.Cms.Core
Dependent packages: 0Dependent repositories: 0
Downloads: 8,801,146 total
Affected Version Ranges: >= 13.0.0, < 13.1.1
Fixed in: 13.1.1
All affected versions: 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0