CVE-2024-32872— Umbraco Workflow's Backoffice users can execute arbitrary SQL

Umbraco Workflow's Backoffice users can execute arbitrary SQL

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Umbraco 安全漏洞

Umbraco是丹麦Umbraco公司的一套C#编写的开源的内容管理系统（CMS）。 Umbraco workflow 10.3.9、12.2.6 和 13.0.6 之前版本存在安全漏洞，该漏洞源于 Umbraco Backoffice 用户可以修改特定 API 端点的请求。

N/A

N/A