GHSA-287f-46j7-j4wh

Suggest an improvement
Source
https://github.com/advisories/GHSA-287f-46j7-j4wh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-287f-46j7-j4wh/GHSA-287f-46j7-j4wh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-287f-46j7-j4wh
Aliases
Published
2024-04-24T17:04:34Z
Modified
2024-04-24T17:28:26.073021Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Umbraco Workflow's Backoffice users can execute arbitrary SQL
Details

Impact

Backoffice users can execute arbitrary SQL.

Explanation of the vulnerability

A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server.

Affected versions

All versions

Patches

Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2

References

Upgrading Umbraco Workflow

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-89"
    ],
    "nvd_published_at": "2024-04-24T15:15:48Z",
    "github_reviewed_at": "2024-04-24T17:04:34Z"
}
References

Affected packages

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.3.9

Affected versions

10.*

10.0.0
10.1.0-rc1
10.1.0
10.1.1
10.1.2
10.2.0-rc1
10.2.0
10.2.1
10.2.2
10.2.3
10.3.0-rc1
10.3.0
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-rc1
Fixed
12.2.6

Affected versions

11.*

11.0.0-rc1
11.0.0-rc2
11.0.0-rc3
11.0.0
11.0.1
11.1.0-rc1
11.1.0
11.1.1
11.1.2
11.2.0-rc1
11.2.0
11.2.1
11.2.2
11.2.3
11.3.0-rc1
11.3.0
11.3.1
11.3.2

12.*

12.0.0-rc1
12.0.0-rc2
12.0.0-rc4
12.0.0
12.0.1
12.1.0-rc1
12.1.0
12.1.1
12.1.2
12.2.0-rc1
12.2.0
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5

NuGet / Umbraco.Workflow

Package

Name
Umbraco.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.0-rc1
Fixed
13.0.6

Affected versions

13.*

13.0.0-rc1
13.0.0-rc2
13.0.0
13.0.1
13.0.2
13.0.3
13.0.5

NuGet / Plumber.Workflow

Package

Name
Plumber.Workflow
View open source insights on deps.dev
Purl
pkg:nuget/Plumber.Workflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.2

Affected versions

1.*

1.0.0-alpha-000230
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.1.2-beta-000314
1.1.2
1.1.3-beta-000315
1.1.3-beta-000318
1.1.3-beta-000319
1.1.3-beta-000329
1.1.3
1.1.4-beta-000333
1.2.0-beta-000339
1.2.0-beta-000340
1.2.0-beta-000341
1.2.0-beta-000342
1.2.0-beta-000343
1.2.0-beta-000344
1.2.0-beta-000345
1.2.0-beta-000346
1.2.0-beta-000349
1.2.0-beta-000350
1.2.0-beta-000351
1.2.0-beta-000355
1.2.0-beta-000356
1.2.0-beta-000357
1.2.0-beta-000359
1.2.0-beta-000360
1.2.0-beta-000363
1.2.0
1.2.1-beta-000365
1.2.1-beta-000366
1.2.1-beta-000367
1.2.1-beta-000368
1.2.1-beta-000371
1.2.1
1.2.2-beta-000372
1.3.0-beta-000375
1.3.0
1.3.1-beta-000377
1.3.1
1.3.2
1.3.3-beta-000382
1.3.3
1.3.4
1.3.5-beta-000389
1.3.5-beta-000390
1.3.5-beta-000391
1.3.5-beta-000393
1.3.5
1.3.6-beta-000395
1.3.6
1.3.7-beta-000398
1.3.7-beta-000403
1.3.7
1.3.8-beta-000406
1.3.8-beta-000407
1.3.8-beta-000408
1.3.8-beta-000409
1.3.8-beta-000410
1.3.8-beta-000412
1.3.8
1.3.9-beta-000414
1.3.9-beta-000415
1.3.9-beta-000416
1.3.9-beta-000417
1.3.9-beta-000418
1.3.9-beta-000419
1.3.9-beta-000420
1.3.9-beta-000423
1.3.9
1.4.0-beta-000424
1.4.0-beta-000426
1.4.0-beta-000428
1.4.0-beta-000430
1.4.0-beta-000431
1.4.0-beta-000432
1.4.0-beta-000433
1.4.0-beta-000437
1.4.0-beta-000438
1.4.0
1.4.1-beta-000454
1.4.1-beta-000455
1.4.1-beta-000458
1.4.1-beta-000460
1.4.1-beta-000463
1.4.1
1.4.2-beta-000466
1.4.2
1.4.3-beta-000468
1.4.3-beta-000469
1.4.3-beta-000470
1.4.3-beta-000471
1.4.3-beta-000472
1.4.3-beta-000473
1.4.3-beta-000476
1.4.3-beta-000477
1.4.3-beta-000478
1.4.3-beta-000479
1.4.3
1.4.4-beta-000482
1.4.4-beta-000484
1.4.4-beta-000485
1.4.4-beta-000486
1.4.4-beta-000487
1.4.4-beta-000488
1.4.4-beta-000489
1.4.4-beta-000490
1.4.4-beta-000491
1.4.4-beta-000492
1.4.4-beta-000493
1.4.4-beta-000494
1.4.4-beta-000495
1.4.4-beta-000496
1.4.4-beta-000497
1.4.4-beta-000498
1.4.4-beta-000499
1.5.0-beta-000505
1.5.0
1.5.1-beta-000508
1.5.1-beta-000509
1.5.1-beta-000510
1.5.1-beta-000512
1.5.1-beta-000513
1.5.1-beta-000520
1.5.1
1.5.2-beta-000521
1.5.2-beta-000522
1.5.2-beta-000534
1.5.2-beta-000536
1.5.2-beta-000539
1.5.2
1.5.3-beta-000540
1.5.3-beta-000542
1.5.3-beta-000546
1.5.3
1.6.0-beta-000553
1.6.0-beta-000554
1.6.0-beta-000557
1.6.0-beta-000559
1.6.0-beta-000560
1.6.0-beta-000562
1.6.0-beta-000565
1.6.0
1.6.1-beta-000566
1.6.1-beta-000567
1.6.1-beta-000572
1.6.1
1.6.2-beta-000573
1.6.2
1.6.3-beta-000576
1.6.3-beta-000616
1.6.3-beta-000627
1.6.3-beta-000629
1.6.3-beta-000630
1.6.3-beta-000631
1.6.3-beta-000633
1.6.3-beta-000634
1.6.3-beta-000638
1.6.3-beta-000643
1.6.3-beta-000648
1.6.3-beta-000651
1.6.3
1.6.4-beta-000654
1.6.4-beta-000656
1.6.4
1.6.5-beta-000773
1.6.5
1.6.6-beta-000775
1.6.6-beta-000776
1.6.6-beta-000778
1.6.6-beta-000781
1.6.6-beta-000782
1.6.6-beta-000784
1.6.6-beta-000786
1.6.6
1.6.7-beta-000823
1.6.7
1.6.8-beta-000841
1.6.8-beta-000843
1.6.8-beta-000846
1.6.8
1.6.9-beta-000874

2.*

2.0.0-rc001
2.0.0
2.0.1
2.0.2
2.1.0-rc
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13

8.*

8.0.0-beta-000646

9.*

9.0.0-beta-000584
9.0.0-beta-000611
9.0.0-beta-000617

10.*

10.0.0
10.0.1
10.0.2-rc
10.1.0-rc
10.1.0
10.1.1