7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37267

GHSA ID

GHSA-h8wc-r4jh-mg7m

EPSS Score

0.53941%

CWE

CWE-284

Published

7/13/2023

Updated

11/4/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37267

CVE-2023-37267:
Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

Under rare conditions, a restart of Umbraco can allow unauthorized users to gain admin-level permissions.

Impact

An unauthorized user gaining admin-level access and permissions to the backoffice.

Patches

10.6.1, 11.4.2, 12.0.1

Workarounds

Enabling the Unattended Install feature will mean the vulnerability is not exploitable.
Enabling IP restrictions to */install/* and */umbraco/* will limit the exposure to allowed IP addresses.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37267

GHSA ID

GHSA-h8wc-r4jh-mg7m

EPSS Score

0.53941%

CWE

CWE-284

Published

7/13/2023

Updated

11/4/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Umbraco.Cms.Infrastructure	nuget	>= 9.0.0, < 10.6.1	10.6.1
Umbraco.Cms.Infrastructure	nuget	>= 11.0.0, < 11.4.2	11.4.2
Umbraco.Cms.Infrastructure	nuget	= 12.0.0	12.0.1
Umbraco.Cms.Web.BackOffice	nuget	>= 9.0.0, < 10.6.1	10.6.1
Umbraco.Cms.Web.BackOffice	nuget	>= 11.0.0, < 11.4.2	11.4.2
Umbraco.Cms.Web.BackOffice	nuget	= 12.0.0	12.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key behaviors: 1) The CompleteInstall method's auto-login feature after restart when in Install mode, which bypassed authentication. 2) The runtime state transitioning to Install mode when detecting database issues, enabling the attack surface. The commit diff shows removal of IBackOfficeSignInManager dependencies and auto-login logic in CompleteInstall, plus hardening of runtime state transitions in DetermineRuntimeLevel. These changes directly address the authentication bypass and improper state management described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un**r r*r* *on*itions, * r*st*rt o* Um*r**o **n *llow un*ut*oriz** us*rs to **in **min-l*v*l p*rmissions. ### Imp**t *n un*ut*oriz** us*r **inin* **min-l*v*l ****ss *n* p*rmissions to t** ***ko**i**. ### P*t***s **.*.*, **.*.*, **.*.* ### Work*rou

Reasoning

T** vuln*r**ility st*ms *rom two k*y ****viors: *) T** `*ompl*t*Inst*ll` m*t*o*'s *uto-lo*in ***tur* **t*r r*st*rt w**n in Inst*ll mo**, w*i** *yp*ss** *ut**nti**tion. *) T** runtim* st*t* tr*nsitionin* to Inst*ll mo** w**n **t**tin* **t***s* issu*s,

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-37267: Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

Impact

Patches

Workarounds

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37267:
Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions

Vulnerability Intelligence
Miggo AI