CVE-2023-37267
Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions
7.5CVSSHIGH
Description
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.
CVSS Vector Breakdown
Exploitability
AV:NAttack VectorNetwork
AC:HAttack ComplexityHigh
PR:NPrivileges RequiredNone
UI:RUser InteractionRequired
Scope
S:UScopeUnchanged
Impact
C:HConfidentialityHigh
I:HIntegrityHigh
A:HAvailabilityHigh
Weaknesses
Affected Products
Exploitability
Official Patch Available
References
https://github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f3428833892cde5c6d8441fb041e410e
github.com
https://github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d7b91d263e4e103ef19f3644e7b569
github.com
https://github.com/umbraco/Umbraco-CMS/commit/82eae48d098b9deecbdf86cf288b2b18020e1fed
github.com
and 3 more references View all →
Timeline
Published
Jul 13, 2023
Last Updated
Nov 21, 2024
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2023-37267 and every CVE in our database. Create a free account — no credit card required.
Create Free AccountPlain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows