CVE-2023-48227 – umbraco.cms

Package

Manager: nuget
Name: umbraco.cms
Vulnerable Version: >=8.0.0 <8.18.10 || >=9.0.0 <10.8.0 || >=11.0.0 <12.3.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00114 pctl0.30768

Details

Backoffice User can bypass "Publish" restriction #### Impact Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. #### Explanation of the vulnerability Backoffice users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the "Send for Approval" request.

Metadata

Created: 2023-12-13T13:21:51Z
Modified: 2024-01-12T16:28:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-335x-5wcm-8jv2/GHSA-335x-5wcm-8jv2.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-335x-5wcm-8jv2
Finding: F006
Auto approve: 1