CVE-2020-7210

Vulnerability

Overview

CVE-2020-7210 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Umbraco CMS version 8.2.2. The issue stems from the absence of proper CSRF tokens or other anti-forgery mechanisms in critical endpoints of the Umbraco backoffice API. Specifically, the /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers and related user-management endpoints accept POST requests without validating the origin or authenticity of the request [1][3]. This allows an attacker to forge requests that modify user accounts.

Exploitation

Details

An attacker can exploit this vulnerability by crafting a malicious HTML page that includes an auto-submitting form or a script which issues a POST request to the vulnerable Umbraco endpoints. If a logged-in administrator visits the attacker-controlled page, the browser automatically sends the forged request along with the admin's session cookie. The attack requires no additional authentication on the attacker's part—only the victim's active session is leveraged [3]. Reference [1] provides a proof-of-concept demonstrating how a form can be used to disable user accounts.

Impact

A successful CSRF attack allows the attacker to perform arbitrary user-management actions with the privileges of the compromised administrator. This includes enabling or disabling user accounts, as well as deleting accounts [1][2][3]. Such actions can lead to a denial-of-service (DoS) condition for legitimate users and potentially disrupt the CMS's administrative operations.

Mitigation

The vendor (Umbraco) has acknowledged this vulnerability and recommends upgrading to the latest available version of Umbraco CMS, which includes the necessary CSRF protections [3]. Users of version 8.2.2 are strongly advised to apply the patch immediately. No official workaround has been published, but enabling generic anti-CSRF measures (such as SameSite cookies or custom token validation) may offer interim protection.