CVE-2023-49273 Umbraco CMS vulnerable to Privilege Escalation using Spoofing

2023-12-1219:05:39

CWE-863

GitHub_M

www.cve.org

umbraco cms

privilege escalation

cve-2023-49273

asp.net

content management system

spoofing

patch

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges (Editor, etc.) are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

CNA Affected

[
  {
    "vendor": "umbraco",
    "product": "Umbraco-CMS",
    "versions": [
      {
        "version": ">= 8.0.0, < 8.18.10",
        "status": "affected"
      },
      {
        "version": ">= 9.0.0-rc001, < 10.8.1",
        "status": "affected"
      },
      {
        "version": ">= 11.0.0-rc1, < 12.3.4",
        "status": "affected"
      }
    ]
  }
]