CVE-2020-29454
Description
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated Umbraco backoffice users without Settings access could read log files via the logviewer endpoint, potentially exposing sensitive information.
Vulnerability
CVE-2020-29454 affects Umbraco CMS versions 8.0.0 through 8.9.1. The LogViewerController endpoint was accessible to any authenticated backoffice user, even those lacking the required Applications.Settings permission [1][2]. This allowed unauthorized access to system logs.
Exploitation
Exploitation requires an authenticated backoffice session. The attacker must know the endpoint and how to call it with correct parameters, but the vendor considers the risk low [1]. The endpoint is not exposed to unauthenticated users or website visitors.
Impact
The logs may contain sensitive information such as error details, stack traces, or custom logged data. While default Umbraco logs do not allow privilege escalation, custom implementations that log passwords or other secrets could lead to privilege escalation [1]. The vendor rates severity as low, but Trustwave rated it medium.
Mitigation
The issue was fixed in Umbraco version 8.10.0 [1]. Users should upgrade to that version or later. Version 7 is not affected.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
UmbracoCmsNuGet | < 8.10.0 | 8.10.0 |
Affected products
2- Umbraco/Umbracodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4vp3-vfww-8648ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29454ghsaADVISORY
- github.com/umbraco/Umbraco-CMS/pull/9361ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.