CVE-2024-32872

medium

Description

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.

References

https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh

Details

Source: Mitre, NVD

Published: 2024-04-24

Updated: 2024-04-24

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N