CVE-2024-32872 – plumber.workflow

Package

Manager: nuget
Name: plumber.workflow
Vulnerable Version: >=0 <10.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0005 pctl0.15286

Details

Umbraco Workflow's Backoffice users can execute arbitrary SQL ### Impact Backoffice users can execute arbitrary SQL. ### Explanation of the vulnerability A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server. ### Affected versions All versions ### Patches Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2 ### References [Upgrading Umbraco Workflow](https://docs.umbraco.com/umbraco-workflow/upgrading/upgrading)

Metadata

Created: 2024-04-24T17:04:34Z
Modified: 2024-04-24T17:04:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-287f-46j7-j4wh/GHSA-287f-46j7-j4wh.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-287f-46j7-j4wh
Finding: F297
Auto approve: 1