Umbraco Dictionary Upload Temporary File Enumeration Vulnerability

A vulnerability exists in Umbraco CMS versions 10.0.0 through 13.12.0, allowing an attacker with backoffice access to exploit the dictionary upload process. The issue arises from improper handling and deletion of temporary files, which can lead to predictable requests to file paths. By analyzing the application's error responses—HTTP 500 for existing files and 404 for non-existent ones—an attacker can enumerate arbitrary files on the server. While this vulnerability does not permit reading or writing file contents, it may inadvertently expose the NTLM hash of the Windows account running Umbraco in certain configurations, particularly in self-hosted environments under privileged identities.

Impact

Exploitation of this vulnerability allows for enumeration of files on the server's filesystem via the application's error responses. Incomplete cleanup of temporary upload files could also expose the NTLM hash of the Windows account running Umbraco, with potentially severe consequences in self-hosted environments using elevated or widely-trusted service accounts.

Remediation

Users can upgrade to Umbraco version 13.12.1 to address this vulnerability.