GHSA-335x-5wcm-8jv2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-335x-5wcm-8jv2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-335x-5wcm-8jv2/GHSA-335x-5wcm-8jv2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-335x-5wcm-8jv2
- Aliases
- Published
- 2023-12-13T13:21:51Z
- Modified
- 2024-02-16T08:00:32.592964Z
- Severity
-
- 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
- Summary
- Backoffice User can bypass "Publish" restriction
- Details
-
Impact
Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios.
Explanation of the vulnerability
Backoffice users without permission to publish content, but only to send for approval, can bypass the restriction by modifying the request body of the "Send for Approval" request.
- Database specific
{ "nvd_published_at": "2023-12-12T17:15:08Z", "cwe_ids": [ "CWE-863" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-12-13T13:21:51Z" }- References
Affected packages
NuGet / Umbraco.CMS
Package
- Name
- Umbraco.CMS
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.CMS
NuGet / Umbraco.CMS
Package
- Name
- Umbraco.CMS
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.CMS
Affected versions
9.*
9.0.0
9.0.1
9.1.0-rc
9.1.0
9.1.1
9.1.2
9.2.0-rc
9.2.0
9.3.0-rc
9.3.0
9.3.1
9.4.0-rc
9.4.0
9.4.1
9.4.2
9.4.3
9.5.0-rc
9.5.0-rc2
9.5.0-rc3
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4
10.*
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0-rc4
10.0.0-rc5
10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
NuGet / Umbraco.CMS
Package
- Name
- Umbraco.CMS
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.CMS