CVE-2024-32872 MEDIUM

CVE-2024-32872: Umbraco Workflow's Backoffice users can execute arbitrary SQL

Vendor Umbraco
Product Umbraco.Workflow.Issues
Weakness CWE-89 · SQLi
Published April 24, 2024
Last update August 2, 2024

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.

Key dates

02Disclosure timeline

April 24, 2024 CVE published
August 2, 2024 Record updated