Umbraco Backoffice Unauthorized Access Vulnerability Allowing Content Deletion and Retrieval

A vulnerability exists in Umbraco's web backoffice in versions prior to 10.8.9 and 13.7.1. It allows authenticated backoffice users to manipulate API URLs and access or delete content and media from folders outside their permission scope. This issue has been addressed in the mentioned versions.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion or retrieval of content and media, bypassing user permissions.

Reproduction

The vulnerability can be reproduced by sending requests to the backoffice API endpoints related to content or media management. This can be done by an authenticated user who has access to the backoffice. The API URLs can be manipulated to include IDs of content or media items located in folders that the user does not have permission to access. This can be done, for example, by using query string parameters that the application's permission handling does not properly validate or by exploiting the application's handling of node IDs and Udis in the query string.

Remediation

Users can update to Umbraco versions 10.8.9 or 13.7.1, where this vulnerability has been patched.