GHSA-287f-46j7-j4wh

Source

https://github.com/advisories/GHSA-287f-46j7-j4wh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-287f-46j7-j4wh/GHSA-287f-46j7-j4wh.json

Aliases

CVE-2024-32872

Published

2024-04-24T17:04:34Z

Modified

2024-04-24T17:28:26.073021Z

Summary

Umbraco Workflow's Backoffice users can execute arbitrary SQL

Details

Impact

Backoffice users can execute arbitrary SQL.

Explanation of the vulnerability

A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.

Affected versions

All versions

Patches

Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2

References

Upgrading Umbraco Workflow

References

Affected packages

NuGet / Umbraco.Workflow

Package

Name: Umbraco.Workflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

10.3.9

Affected versions

10.*

10.0.0

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.3.0-rc1

10.3.0

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.3.7

10.3.8

NuGet / Umbraco.Workflow

Package

Name: Umbraco.Workflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-rc1

Fixed

12.2.6

Affected versions

11.*

11.0.0-rc1

11.0.0-rc2

11.0.0-rc3

11.0.0

11.0.1

11.1.0-rc1

11.1.0

11.1.1

11.1.2

11.2.0-rc1

11.2.0

11.2.1

11.2.2

11.2.3

11.3.0-rc1

11.3.0

11.3.1

11.3.2

12.*

12.0.0-rc1

12.0.0-rc2

12.0.0-rc4

12.0.0

12.0.1

12.1.0-rc1

12.1.0

12.1.1

12.1.2

12.2.0-rc1

12.2.0

12.2.1

12.2.2

12.2.3

12.2.4

12.2.5

NuGet / Umbraco.Workflow

Package

Name: Umbraco.Workflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0-rc1

Fixed

13.0.6

Affected versions

13.*

13.0.0-rc1

13.0.0-rc2

13.0.0

13.0.1

13.0.2

13.0.3

13.0.5

NuGet / Plumber.Workflow

Package

Name: Plumber.Workflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

10.1.2

Affected versions

1.*

1.0.0-alpha-000230

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.1.2-beta-000314

1.1.2

1.1.3-beta-000315

1.1.3-beta-000318

1.1.3-beta-000319

1.1.3-beta-000329

1.1.3

1.1.4-beta-000333

1.2.0-beta-000339

1.2.0-beta-000340

1.2.0-beta-000341

1.2.0-beta-000342

1.2.0-beta-000343

1.2.0-beta-000344

1.2.0-beta-000345

1.2.0-beta-000346

1.2.0-beta-000349

1.2.0-beta-000350

1.2.0-beta-000351

1.2.0-beta-000355

1.2.0-beta-000356

1.2.0-beta-000357

1.2.0-beta-000359

1.2.0-beta-000360

1.2.0-beta-000363

1.2.0

1.2.1-beta-000365

1.2.1-beta-000366

1.2.1-beta-000367

1.2.1-beta-000368

1.2.1-beta-000371

1.2.1

1.2.2-beta-000372

1.3.0-beta-000375

1.3.0

1.3.1-beta-000377

1.3.1

1.3.2

1.3.3-beta-000382

1.3.3

1.3.4

1.3.5-beta-000389

1.3.5-beta-000390

1.3.5-beta-000391

1.3.5-beta-000393

1.3.5

1.3.6-beta-000395

1.3.6

1.3.7-beta-000398

1.3.7-beta-000403

1.3.7

1.3.8-beta-000406

1.3.8-beta-000407

1.3.8-beta-000408

1.3.8-beta-000409

1.3.8-beta-000410

1.3.8-beta-000412

1.3.8

1.3.9-beta-000414

1.3.9-beta-000415

1.3.9-beta-000416

1.3.9-beta-000417

1.3.9-beta-000418

1.3.9-beta-000419

1.3.9-beta-000420

1.3.9-beta-000423

1.3.9

1.4.0-beta-000424

1.4.0-beta-000426

1.4.0-beta-000428

1.4.0-beta-000430

1.4.0-beta-000431

1.4.0-beta-000432

1.4.0-beta-000433

1.4.0-beta-000437

1.4.0-beta-000438

1.4.0

1.4.1-beta-000454

1.4.1-beta-000455

1.4.1-beta-000458

1.4.1-beta-000460

1.4.1-beta-000463

1.4.1

1.4.2-beta-000466

1.4.2

1.4.3-beta-000468

1.4.3-beta-000469

1.4.3-beta-000470

1.4.3-beta-000471

1.4.3-beta-000472

1.4.3-beta-000473

1.4.3-beta-000476

1.4.3-beta-000477

1.4.3-beta-000478

1.4.3-beta-000479

1.4.3

1.4.4-beta-000482

1.4.4-beta-000484

1.4.4-beta-000485

1.4.4-beta-000486

1.4.4-beta-000487

1.4.4-beta-000488

1.4.4-beta-000489

1.4.4-beta-000490

1.4.4-beta-000491

1.4.4-beta-000492

1.4.4-beta-000493

1.4.4-beta-000494

1.4.4-beta-000495

1.4.4-beta-000496

1.4.4-beta-000497

1.4.4-beta-000498

1.4.4-beta-000499

1.5.0-beta-000505

1.5.0

1.5.1-beta-000508

1.5.1-beta-000509

1.5.1-beta-000510

1.5.1-beta-000512

1.5.1-beta-000513

1.5.1-beta-000520

1.5.1

1.5.2-beta-000521

1.5.2-beta-000522

1.5.2-beta-000534

1.5.2-beta-000536

1.5.2-beta-000539

1.5.2

1.5.3-beta-000540

1.5.3-beta-000542

1.5.3-beta-000546

1.5.3

1.6.0-beta-000553

1.6.0-beta-000554

1.6.0-beta-000557

1.6.0-beta-000559

1.6.0-beta-000560

1.6.0-beta-000562

1.6.0-beta-000565

1.6.0

1.6.1-beta-000566

1.6.1-beta-000567

1.6.1-beta-000572

1.6.1

1.6.2-beta-000573

1.6.2

1.6.3-beta-000576

1.6.3-beta-000616

1.6.3-beta-000627

1.6.3-beta-000629

1.6.3-beta-000630

1.6.3-beta-000631

1.6.3-beta-000633

1.6.3-beta-000634

1.6.3-beta-000638

1.6.3-beta-000643

1.6.3-beta-000648

1.6.3-beta-000651

1.6.3

1.6.4-beta-000654

1.6.4-beta-000656

1.6.4

1.6.5-beta-000773

1.6.5

1.6.6-beta-000775

1.6.6-beta-000776

1.6.6-beta-000778

1.6.6-beta-000781

1.6.6-beta-000782

1.6.6-beta-000784

1.6.6-beta-000786

1.6.6

1.6.7-beta-000823

1.6.7

1.6.8-beta-000841

1.6.8-beta-000843

1.6.8-beta-000846

1.6.8

1.6.9-beta-000874

2.*

2.0.0-rc001

2.0.0

2.0.1

2.0.2

2.1.0-rc

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

8.*

8.0.0-beta-000646

9.*

9.0.0-beta-000584

9.0.0-beta-000611

9.0.0-beta-000617

10.*

10.0.0

10.0.1

10.0.2-rc

10.1.0-rc

10.1.0

10.1.1