company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Umbraco

Vulnerability

loading..
loading..
loading..

CMS Umbraco discovered with a vulnerability allowing users to escalate privileges to Admin

A flaw has been detected in the famous CMS Umbraco that permitted low-privileged users to forward privileges to “admin”

07-Apr-2021
3 min read

Trustwave’s security experts have detected a privilege escalation flaw in the leading website CMS Umbraco. The flaw impacts an API endpoint that can not correctly verify the user’s authorization before returning results found to the logging section of the application.

“Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.” reads the post published by Trustwave.

The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.”

umbraco

Administrators or users with greater privileges can view log data in the administrative UI. This log data entails data inserted into the application logs per configuration or generated through custom exception handling routines. Trustwave’s security experts showed the presence of the vulnerability by making the use of an Administrator user to generate a lower privileged user and insert it in the Writers group that has restricted access to the application. In order to restrict the activities of the Writers; what they can do or see within the application, the new user has been only permitted to view the content tab. On authentication to the application, the low-privileged user is offered the relevant cookies and headers to process it.

Using these identifiers, the low privileged user can access the API endpoint, which returns the log data only available to the Administrator via the UI” c, continues the analysis published by Trustwave. “It was observed in the Umbraco.Web.dll that the LogViewerController class uses no granular authorization attributes on its exposed endpoints.”

It has been detected by the researchers of Trustwave that the Umbraco.Web.dil library that the LogViewerController class has exploited does not correctly apply the authorization process on end exposed endpoints has means that only the lower privileged users may access the endpoints. “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise permit the controller (“[UmbracoApplicationAuthorize]”).” concludes the analysis. “A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”