Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zMzV4LTV3Y20tOGp2Ms4AA3ua
Backoffice User can bypass "Publish" restriction
Impact
Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios.
Explanation of the vulnerability
Backoffice users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the "Send for Approval" request.
Permalink: https://github.com/advisories/GHSA-335x-5wcm-8jv2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMzV4LTV3Y20tOGp2Ms4AA3ua
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 5 months ago
Updated: 4 months ago
Identifiers: GHSA-335x-5wcm-8jv2, CVE-2023-48227
References:
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-335x-5wcm-8jv2
- https://nvd.nist.gov/vuln/detail/CVE-2023-48227
- https://github.com/advisories/GHSA-335x-5wcm-8jv2
Blast Radius: 1.0
Affected Packages
nuget:Umbraco.CMS
Dependent packages: 0Dependent repositories: 0
Downloads: 1,856,006 total
Affected Version Ranges: >= 11.0.0, < 12.3.0, >= 9.0.0, < 10.8.0, >= 8.0.0, < 8.18.10
Fixed in: 12.3.0, 10.8.0, 8.18.10
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0
All unaffected versions: 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0