Umbraco Engage Unauthenticated API Access Vulnerability Allowing Data Enumeration
Vulnerability
A vulnerability exists in Umbraco Engage versions prior to 16.2.1 and 17.1.1, where certain API endpoints lack proper authentication and authorization checks. These endpoints can be accessed directly over the network without a valid session or user credentials. By using a user-controlled identifier parameter, an attacker can access sensitive data linked to arbitrary records. The absence of access control allows for enumeration attacks, enabling attackers to iterate over identifiers and extract data on a large scale. An unauthenticated attacker can query the affected API endpoints to retrieve sensitive information related to Engage, including analytics data, tracking data, customer information, or other content managed by Engage.
Impact
Exploitation of this vulnerability allows unauthorized access to sensitive data within Umbraco Engage, with a high impact on confidentiality. The vulnerability enables arbitrary record access through predictable or enumerable identifiers, potentially leading to large-scale data extraction.
Remediation
Users are advised to update Umbraco Engage to version 16.2.1 or 17.1.1. No known workarounds are available.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.