GHSA-287f-46j7-j4wh

Suggest an improvement
Source
https://github.com/advisories/GHSA-287f-46j7-j4wh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-287f-46j7-j4wh/GHSA-287f-46j7-j4wh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-287f-46j7-j4wh
Aliases
  • CVE-2024-32872
Published
2024-04-24T17:04:34Z
Modified
2024-04-24T17:28:26.073021Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Umbraco Workflow's Backoffice users can execute arbitrary SQL
Details

Impact

Backoffice users can execute arbitrary SQL.

Explanation of the vulnerability

A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.

Affected versions

All versions

Patches

Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2

References

Upgrading Umbraco Workflow

References

Affected packages

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.3.9

Affected versions

10.*

10.0.0
10.1.0-rc1
10.1.0
10.1.1
10.1.2
10.2.0-rc1
10.2.0
10.2.1
10.2.2
10.2.3
10.3.0-rc1
10.3.0
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-rc1
Fixed
12.2.6

Affected versions

11.*

11.0.0-rc1
11.0.0-rc2
11.0.0-rc3
11.0.0
11.0.1
11.1.0-rc1
11.1.0
11.1.1
11.1.2
11.2.0-rc1
11.2.0
11.2.1
11.2.2
11.2.3
11.3.0-rc1
11.3.0
11.3.1
11.3.2

12.*

12.0.0-rc1
12.0.0-rc2
12.0.0-rc4
12.0.0
12.0.1
12.1.0-rc1
12.1.0
12.1.1
12.1.2
12.2.0-rc1
12.2.0
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.0-rc1
Fixed
13.0.6

Affected versions

13.*

13.0.0-rc1
13.0.0-rc2
13.0.0
13.0.1
13.0.2
13.0.3
13.0.5

NuGet / Plumber.Workflow

Package

Name
Plumber.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Plumber.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.2

Affected versions

1.*

1.0.0-alpha-000230
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.1.2-beta-000314
1.1.2
1.1.3-beta-000315
1.1.3-beta-000318
1.1.3-beta-000319
1.1.3-beta-000329
1.1.3
1.1.4-beta-000333
1.2.0-beta-000339
1.2.0-beta-000340
1.2.0-beta-000341
1.2.0-beta-000342
1.2.0-beta-000343
1.2.0-beta-000344
1.2.0-beta-000345
1.2.0-beta-000346
1.2.0-beta-000349
1.2.0-beta-000350
1.2.0-beta-000351
1.2.0-beta-000355
1.2.0-beta-000356
1.2.0-beta-000357
1.2.0-beta-000359
1.2.0-beta-000360
1.2.0-beta-000363
1.2.0
1.2.1-beta-000365
1.2.1-beta-000366
1.2.1-beta-000367
1.2.1-beta-000368
1.2.1-beta-000371
1.2.1
1.2.2-beta-000372
1.3.0-beta-000375
1.3.0
1.3.1-beta-000377
1.3.1
1.3.2
1.3.3-beta-000382
1.3.3
1.3.4
1.3.5-beta-000389
1.3.5-beta-000390
1.3.5-beta-000391
1.3.5-beta-000393
1.3.5
1.3.6-beta-000395
1.3.6
1.3.7-beta-000398
1.3.7-beta-000403
1.3.7
1.3.8-beta-000406
1.3.8-beta-000407
1.3.8-beta-000408
1.3.8-beta-000409
1.3.8-beta-000410
1.3.8-beta-000412
1.3.8
1.3.9-beta-000414
1.3.9-beta-000415
1.3.9-beta-000416
1.3.9-beta-000417
1.3.9-beta-000418
1.3.9-beta-000419
1.3.9-beta-000420
1.3.9-beta-000423
1.3.9
1.4.0-beta-000424
1.4.0-beta-000426
1.4.0-beta-000428
1.4.0-beta-000430
1.4.0-beta-000431
1.4.0-beta-000432
1.4.0-beta-000433
1.4.0-beta-000437
1.4.0-beta-000438
1.4.0
1.4.1-beta-000454
1.4.1-beta-000455
1.4.1-beta-000458
1.4.1-beta-000460
1.4.1-beta-000463
1.4.1
1.4.2-beta-000466
1.4.2
1.4.3-beta-000468
1.4.3-beta-000469
1.4.3-beta-000470
1.4.3-beta-000471
1.4.3-beta-000472
1.4.3-beta-000473
1.4.3-beta-000476
1.4.3-beta-000477
1.4.3-beta-000478
1.4.3-beta-000479
1.4.3
1.4.4-beta-000482
1.4.4-beta-000484
1.4.4-beta-000485
1.4.4-beta-000486
1.4.4-beta-000487
1.4.4-beta-000488
1.4.4-beta-000489
1.4.4-beta-000490
1.4.4-beta-000491
1.4.4-beta-000492
1.4.4-beta-000493
1.4.4-beta-000494
1.4.4-beta-000495
1.4.4-beta-000496
1.4.4-beta-000497
1.4.4-beta-000498
1.4.4-beta-000499
1.5.0-beta-000505
1.5.0
1.5.1-beta-000508
1.5.1-beta-000509
1.5.1-beta-000510
1.5.1-beta-000512
1.5.1-beta-000513
1.5.1-beta-000520
1.5.1
1.5.2-beta-000521
1.5.2-beta-000522
1.5.2-beta-000534
1.5.2-beta-000536
1.5.2-beta-000539
1.5.2
1.5.3-beta-000540
1.5.3-beta-000542
1.5.3-beta-000546
1.5.3
1.6.0-beta-000553
1.6.0-beta-000554
1.6.0-beta-000557
1.6.0-beta-000559
1.6.0-beta-000560
1.6.0-beta-000562
1.6.0-beta-000565
1.6.0
1.6.1-beta-000566
1.6.1-beta-000567
1.6.1-beta-000572
1.6.1
1.6.2-beta-000573
1.6.2
1.6.3-beta-000576
1.6.3-beta-000616
1.6.3-beta-000627
1.6.3-beta-000629
1.6.3-beta-000630
1.6.3-beta-000631
1.6.3-beta-000633
1.6.3-beta-000634
1.6.3-beta-000638
1.6.3-beta-000643
1.6.3-beta-000648
1.6.3-beta-000651
1.6.3
1.6.4-beta-000654
1.6.4-beta-000656
1.6.4
1.6.5-beta-000773
1.6.5
1.6.6-beta-000775
1.6.6-beta-000776
1.6.6-beta-000778
1.6.6-beta-000781
1.6.6-beta-000782
1.6.6-beta-000784
1.6.6-beta-000786
1.6.6
1.6.7-beta-000823
1.6.7
1.6.8-beta-000841
1.6.8-beta-000843
1.6.8-beta-000846
1.6.8
1.6.9-beta-000874

2.*

2.0.0-rc001
2.0.0
2.0.1
2.0.2
2.1.0-rc
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13

8.*

8.0.0-beta-000646

9.*

9.0.0-beta-000584
9.0.0-beta-000611
9.0.0-beta-000617

10.*

10.0.0
10.0.1
10.0.2-rc
10.1.0-rc
10.1.0
10.1.1