CVE-2024-32872

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32872

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32872.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32872

Aliases

GHSA-287f-46j7-j4wh

Published

2024-04-24T14:46:28Z

Modified

2025-10-21T02:35:37Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Umbraco Workflow's Backoffice users can execute arbitrary SQL

Details

Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue.

References

https://github.com/umbraco/Umbraco.Workflow.Issues/security/advisories/GHSA-287f-46j7-j4wh

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "type": "",
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "10.3.9"
            }
        ]
    },
    {
        "type": "",
        "events": [
            {
                "introduced": "11.0.0-rc1"
            },
            {
                "fixed": "12.2.6"
            }
        ]
    },
    {
        "type": "",
        "events": [
            {
                "introduced": "13.0.0-rc1"
            },
            {
                "fixed": "13.0.6"
            }
        ]
    }
]