Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2024-32872

CVE-2024-32872:
Umbraco Workflow's Backoffice users can execute arbitrary SQL

5.5

CVSS Score

Basic Information

CVE ID
CVE-2024-32872
GHSA ID
GHSA-287f-46j7-j4wh
EPSS Score
-
CWE
CWE-89
Published
4/24/2024
Updated
4/24/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Umbraco.Workflownuget< 10.3.910.3.9
Umbraco.Workflownuget>= 11.0.0-rc1, < 12.2.612.2.6
Umbraco.Workflownuget>= 13.0.0-rc1, < 13.0.613.0.6
Plumber.Workflownuget< 10.1.210.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves SQL injection through API endpoint manipulation. Analysis focused on:

  1. Controller actions handling Backoffice API requests
  2. SQL execution methods processing user input
  3. Patch notes indicating input validation improvements

While exact code changes aren't visible, the pattern matches:

  • API controller methods receiving user input
  • Service layer methods executing raw SQL Confidence is medium due to typical vulnerability patterns in web applications, though specific function names are inferred from architectural conventions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t ***ko**i** us*rs **n *x**ut* *r*itr*ry SQL. ### *xpl*n*tion o* t** vuln*r**ility * ***ko**i** us*r **n mo*i*y r*qu*sts to * p*rti*ul*r *PI *n*point to in*lu** SQL w*i** will ** *x**ut** *y t** s*rv*r. ### *****t** v*rsions *ll v*rsions

Reasoning

T** vuln*r**ility involv*s SQL inj**tion t*rou** *PI *n*point m*nipul*tion. *n*lysis *o*us** on: *. *ontroll*r **tions **n*lin* ***ko**i** *PI r*qu*sts *. SQL *x**ution m*t*o*s pro**ssin* us*r input *. P*t** not*s in*i**tin* input v*li**tion improv*m