Miggo Logo
Miggo Vulnerability Database
CVE-2024-48925

CVE-2024-48925: Umbraco CMS Improper Access Control Vulnerability Allows Low-Privilege Users to Access Webhook API

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-48925
GHSA ID
GHSA-4gp9-ff99-j6vj
EPSS Score
0.29878%
CWE
CWE-284
Published
10/22/2024
Updated
11/12/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Umbraco.CMSnuget>= 14.0.0, < 14.3.014.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper access control in the webhook API. Since webhooks are typically part of system settings, the affected functions would likely be:

  1. Controller methods handling webhook data retrieval (e.g., GetAll) without proper [Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)] attributes
  2. Authorization handlers that implement permission checks for webhook operations. The medium confidence reflects the lack of explicit patch details, but aligns with Umbraco's architecture where BackOffice controllers and authorization handlers manage API access control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n improp*r ****ss *ontrol issu* **s ***n i**nti*i**, *llowin* low-privil*** us*rs to ****ss t** w***ook *PI *n* r*tri*v* in*orm*tion t**t s*oul* ** r*stri*t** to us*rs wit* ****ss to t** s*ttin*s s**tion

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****ss *ontrol in t** w***ook *PI. Sin** w***ooks *r* typi**lly p*rt o* syst*m s*ttin*s, t** *****t** *un*tions woul* lik*ly **: *. *ontroll*r m*t*o*s **n*lin* w***ook **t* r*tri*v*l (*.*., **t*ll) wit*out prop*