High severityNVD Advisory· Published Jul 13, 2023· Updated Oct 31, 2024
Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions
CVE-2023-37267
Description
Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.Cms.InfrastructureNuGet | >= 9.0.0, < 10.6.1 | 10.6.1 |
Umbraco.Cms.InfrastructureNuGet | >= 11.0.0, < 11.4.2 | 11.4.2 |
Umbraco.Cms.InfrastructureNuGet | >= 12.0.0, < 12.0.1 | 12.0.1 |
Umbraco.Cms.Web.BackOfficeNuGet | >= 9.0.0, < 10.6.1 | 10.6.1 |
Umbraco.Cms.Web.BackOfficeNuGet | >= 11.0.0, < 11.4.2 | 11.4.2 |
Umbraco.Cms.Web.BackOfficeNuGet | >= 12.0.0, < 12.0.1 | 12.0.1 |
Affected products
1- Range: >= 9.0.0, < 10.6.1
Patches
320a4e475c8d7Merge pull request from GHSA-h8wc-r4jh-mg7m
2 files changed · +16 −17
src/Umbraco.Infrastructure/Runtime/RuntimeState.cs+1 −1 modified@@ -212,7 +212,7 @@ public void DetermineRuntimeLevel() if (_globalSettings.Value.InstallMissingDatabase || _databaseProviderMetadata.CanForceCreateDatabase(_databaseFactory)) { // ok to install on a configured but missing database - Level = RuntimeLevel.Install; + Level = RuntimeLevel.BootFailed; Reason = RuntimeLevelReason.InstallMissingDatabase; return; }
src/Umbraco.Web.BackOffice/Install/InstallApiController.cs+15 −16 modified@@ -1,5 +1,6 @@ using System.Reflection; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Newtonsoft.Json.Linq; using Umbraco.Cms.Core; @@ -25,15 +26,14 @@ namespace Umbraco.Cms.Web.BackOffice.Install; [Area(Constants.Web.Mvc.InstallArea)] public class InstallApiController : ControllerBase { - private readonly IBackOfficeSignInManager _backOfficeSignInManager; - private readonly IBackOfficeUserManager _backOfficeUserManager; private readonly DatabaseBuilder _databaseBuilder; private readonly InstallStatusTracker _installStatusTracker; private readonly InstallStepCollection _installSteps; private readonly ILogger<InstallApiController> _logger; private readonly IProfilingLogger _proflog; private readonly IRuntime _runtime; + [Obsolete("Use the constructor without IBackOfficeUserManager & IBackOfficeSignInManager instead, scheduled for removal in v14")] public InstallApiController( DatabaseBuilder databaseBuilder, IProfilingLogger proflog, @@ -44,14 +44,25 @@ public InstallApiController( IRuntime runtime, IBackOfficeUserManager backOfficeUserManager, IBackOfficeSignInManager backOfficeSignInManager) + : this(databaseBuilder, proflog, logger, installHelper, installSteps, installStatusTracker, runtime) + { + } + + [ActivatorUtilitiesConstructor] + public InstallApiController( + DatabaseBuilder databaseBuilder, + IProfilingLogger proflog, + ILogger<InstallApiController> logger, + InstallHelper installHelper, + InstallStepCollection installSteps, + InstallStatusTracker installStatusTracker, + IRuntime runtime) { _databaseBuilder = databaseBuilder ?? throw new ArgumentNullException(nameof(databaseBuilder)); _proflog = proflog ?? throw new ArgumentNullException(nameof(proflog)); _installSteps = installSteps; _installStatusTracker = installStatusTracker; _runtime = runtime; - _backOfficeUserManager = backOfficeUserManager; - _backOfficeSignInManager = backOfficeSignInManager; InstallHelper = installHelper; _logger = logger; } @@ -88,20 +99,8 @@ public InstallSetup GetSetup() [HttpPost] public async Task<ActionResult> CompleteInstall() { - RuntimeLevel levelBeforeRestart = _runtime.State.Level; - await _runtime.RestartAsync(); - if (levelBeforeRestart == RuntimeLevel.Install) - { - BackOfficeIdentityUser? identityUser = - await _backOfficeUserManager.FindByIdAsync(Core.Constants.Security.SuperUserIdAsString); - if (identityUser is not null) - { - _backOfficeSignInManager.SignInAsync(identityUser, false); - } - } - return NoContent(); }
1f26f2c6f342Merge pull request from GHSA-h8wc-r4jh-mg7m
2 files changed · +16 −17
src/Umbraco.Infrastructure/Runtime/RuntimeState.cs+1 −1 modified@@ -212,7 +212,7 @@ public void DetermineRuntimeLevel() if (_globalSettings.Value.InstallMissingDatabase || _databaseProviderMetadata.CanForceCreateDatabase(_databaseFactory)) { // ok to install on a configured but missing database - Level = RuntimeLevel.Install; + Level = RuntimeLevel.BootFailed; Reason = RuntimeLevelReason.InstallMissingDatabase; return; }
src/Umbraco.Web.BackOffice/Install/InstallApiController.cs+15 −16 modified@@ -1,5 +1,6 @@ using System.Reflection; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Newtonsoft.Json.Linq; using Umbraco.Cms.Core; @@ -25,15 +26,14 @@ namespace Umbraco.Cms.Web.BackOffice.Install; [Area(Constants.Web.Mvc.InstallArea)] public class InstallApiController : ControllerBase { - private readonly IBackOfficeSignInManager _backOfficeSignInManager; - private readonly IBackOfficeUserManager _backOfficeUserManager; private readonly DatabaseBuilder _databaseBuilder; private readonly InstallStatusTracker _installStatusTracker; private readonly InstallStepCollection _installSteps; private readonly ILogger<InstallApiController> _logger; private readonly IProfilingLogger _proflog; private readonly IRuntime _runtime; + [Obsolete("Use the constructor without IBackOfficeUserManager & IBackOfficeSignInManager instead, scheduled for removal in v14")] public InstallApiController( DatabaseBuilder databaseBuilder, IProfilingLogger proflog, @@ -44,14 +44,25 @@ public InstallApiController( IRuntime runtime, IBackOfficeUserManager backOfficeUserManager, IBackOfficeSignInManager backOfficeSignInManager) + : this(databaseBuilder, proflog, logger, installHelper, installSteps, installStatusTracker, runtime) + { + } + + [ActivatorUtilitiesConstructor] + public InstallApiController( + DatabaseBuilder databaseBuilder, + IProfilingLogger proflog, + ILogger<InstallApiController> logger, + InstallHelper installHelper, + InstallStepCollection installSteps, + InstallStatusTracker installStatusTracker, + IRuntime runtime) { _databaseBuilder = databaseBuilder ?? throw new ArgumentNullException(nameof(databaseBuilder)); _proflog = proflog ?? throw new ArgumentNullException(nameof(proflog)); _installSteps = installSteps; _installStatusTracker = installStatusTracker; _runtime = runtime; - _backOfficeUserManager = backOfficeUserManager; - _backOfficeSignInManager = backOfficeSignInManager; InstallHelper = installHelper; _logger = logger; } @@ -88,20 +99,8 @@ public InstallSetup GetSetup() [HttpPost] public async Task<ActionResult> CompleteInstall() { - RuntimeLevel levelBeforeRestart = _runtime.State.Level; - await _runtime.RestartAsync(); - if (levelBeforeRestart == RuntimeLevel.Install) - { - BackOfficeIdentityUser? identityUser = - await _backOfficeUserManager.FindByIdAsync(Core.Constants.Security.SuperUserIdAsString); - if (identityUser is not null) - { - _backOfficeSignInManager.SignInAsync(identityUser, false); - } - } - return NoContent(); }
82eae48d098bMerge pull request from GHSA-h8wc-r4jh-mg7m
2 files changed · +16 −13
src/Umbraco.Infrastructure/Runtime/RuntimeState.cs+1 −1 modified@@ -213,7 +213,7 @@ public void DetermineRuntimeLevel() if (_globalSettings.Value.InstallMissingDatabase || _databaseProviderMetadata.CanForceCreateDatabase(_databaseFactory)) { // ok to install on a configured but missing database - Level = RuntimeLevel.Install; + Level = RuntimeLevel.BootFailed; Reason = RuntimeLevelReason.InstallMissingDatabase; return; }
src/Umbraco.Web.BackOffice/Install/InstallApiController.cs+15 −12 modified@@ -1,5 +1,6 @@ using System.Reflection; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using Newtonsoft.Json.Linq; using Umbraco.Cms.Core; @@ -25,15 +26,14 @@ namespace Umbraco.Cms.Web.BackOffice.Install; [Area(Constants.Web.Mvc.InstallArea)] public class InstallApiController : ControllerBase { - private readonly IBackOfficeSignInManager _backOfficeSignInManager; - private readonly IBackOfficeUserManager _backOfficeUserManager; private readonly DatabaseBuilder _databaseBuilder; private readonly InstallStatusTracker _installStatusTracker; private readonly InstallStepCollection _installSteps; private readonly ILogger<InstallApiController> _logger; private readonly IProfilingLogger _proflog; private readonly IRuntime _runtime; + [Obsolete("Use the constructor without IBackOfficeUserManager & IBackOfficeSignInManager instead, scheduled for removal in v14")] public InstallApiController( DatabaseBuilder databaseBuilder, IProfilingLogger proflog, @@ -44,14 +44,25 @@ public InstallApiController( IRuntime runtime, IBackOfficeUserManager backOfficeUserManager, IBackOfficeSignInManager backOfficeSignInManager) + : this(databaseBuilder, proflog, logger, installHelper, installSteps, installStatusTracker, runtime) + { + } + + [ActivatorUtilitiesConstructor] + public InstallApiController( + DatabaseBuilder databaseBuilder, + IProfilingLogger proflog, + ILogger<InstallApiController> logger, + InstallHelper installHelper, + InstallStepCollection installSteps, + InstallStatusTracker installStatusTracker, + IRuntime runtime) { _databaseBuilder = databaseBuilder ?? throw new ArgumentNullException(nameof(databaseBuilder)); _proflog = proflog ?? throw new ArgumentNullException(nameof(proflog)); _installSteps = installSteps; _installStatusTracker = installStatusTracker; _runtime = runtime; - _backOfficeUserManager = backOfficeUserManager; - _backOfficeSignInManager = backOfficeSignInManager; InstallHelper = installHelper; _logger = logger; } @@ -88,16 +99,8 @@ public InstallSetup GetSetup() [HttpPost] public async Task<ActionResult> CompleteInstall() { - RuntimeLevel levelBeforeRestart = _runtime.State.Level; - await _runtime.RestartAsync(); - if (levelBeforeRestart == RuntimeLevel.Install) - { - BackOfficeIdentityUser identityUser = await _backOfficeUserManager.FindByIdAsync(Core.Constants.Security.SuperUserIdAsString); - _backOfficeSignInManager.SignInAsync(identityUser, false); - } - return NoContent(); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h8wc-r4jh-mg7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37267ghsaADVISORY
- github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f3428833892cde5c6d8441fb041e410eghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d7b91d263e4e103ef19f3644e7b569ghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/commit/82eae48d098b9deecbdf86cf288b2b18020e1fedghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.