Moderate severityNVD Advisory· Published Aug 20, 2024· Updated Sep 3, 2024
Umbraco CMS Improper Access Control vulnerability
CVE-2024-43377
Description
Umbraco CMS is an ASP.NET CMS. An authenticated user can access a few unintended endpoints. This issue is fixed in 14.1.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Umbraco.CmsNuGet | >= 14.0.0, < 14.1.2 | 14.1.2 |
Affected products
1- Range: >= 14.0.0, < 14.1.2
Patches
172bef8861d94Merge commit from fork
4 files changed · +62 −5
src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs+2 −1 modified@@ -29,6 +29,7 @@ internal static IUmbracoBuilder AddAuthorizationPolicies(this IUmbracoBuilder bu builder.Services.AddSingleton<IAuthorizationHandler, UserGroupPermissionHandler>(); builder.Services.AddSingleton<IAuthorizationHandler, UserPermissionHandler>(); builder.Services.AddSingleton<IAuthorizationHandler, AllowedApplicationHandler>(); + builder.Services.AddSingleton<IAuthorizationHandler, BackOfficeHandler>(); builder.Services.AddAuthorization(CreatePolicies); return builder; @@ -46,7 +47,7 @@ void AddAllowedApplicationsPolicy(string policyName, params string[] allowedClai options.AddPolicy(AuthorizationPolicies.BackOfficeAccess, policy => { policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); - policy.RequireAuthenticatedUser(); + policy.Requirements.Add(new BackOfficeRequirement()); }); options.AddPolicy(AuthorizationPolicies.RequireAdminAccess, policy =>
src/Umbraco.Cms.Api.Management/Security/Authorization/DenyLocalLogin/DenyLocalLoginHandler.cs+5 −4 modified@@ -1,5 +1,6 @@ using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization.Infrastructure; +using Umbraco.Cms.Api.Management.Security.Authorization.User; namespace Umbraco.Cms.Api.Management.Security.Authorization.DenyLocalLogin; @@ -24,12 +25,12 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context, if (isDenied is false) { - // AuthorizationPolicies.BackOfficeAccess policy adds this requirement by policy.RequireAuthenticatedUser() + // AuthorizationPolicies.BackOfficeAccess policy adds this requirement by policy.Requirements.Add(new BackOfficeRequirement()); // Since we want to "allow anonymous" for some endpoints (i.e. BackOfficeController.Login()), it is necessary to succeed this requirement - IEnumerable<DenyAnonymousAuthorizationRequirement> denyAnonymousUserRequirements = context.PendingRequirements.OfType<DenyAnonymousAuthorizationRequirement>(); - foreach (DenyAnonymousAuthorizationRequirement denyAnonymousUserRequirement in denyAnonymousUserRequirements) + IEnumerable<BackOfficeRequirement> backOfficeRequirements = context.PendingRequirements.OfType<BackOfficeRequirement>(); + foreach (BackOfficeRequirement backOfficeRequirement in backOfficeRequirements) { - context.Succeed(denyAnonymousUserRequirement); + context.Succeed(backOfficeRequirement); } }
src/Umbraco.Cms.Api.Management/Security/Authorization/User/BackOfficeHandler.cs+35 −0 added@@ -0,0 +1,35 @@ +using Microsoft.AspNetCore.Authorization; +using Umbraco.Cms.Core.Security; + +namespace Umbraco.Cms.Api.Management.Security.Authorization.User; + +/// <summary> +/// Ensures authorization is successful for a back office user. +/// </summary> +public class BackOfficeHandler : MustSatisfyRequirementAuthorizationHandler<BackOfficeRequirement> +{ + private readonly IBackOfficeSecurityAccessor _backOfficeSecurity; + + public BackOfficeHandler(IBackOfficeSecurityAccessor backOfficeSecurity) + { + _backOfficeSecurity = backOfficeSecurity; + } + + protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context, BackOfficeRequirement requirement) + { + + if (context.HasFailed is false && context.HasSucceeded is true) + { + return Task.FromResult(true); + } + + if (!_backOfficeSecurity.BackOfficeSecurity?.IsAuthenticated() ?? false) + { + return Task.FromResult(false); + } + + var userApprovalSucceeded = !requirement.RequireApproval || + (_backOfficeSecurity.BackOfficeSecurity?.CurrentUser?.IsApproved ?? false); + return Task.FromResult(userApprovalSucceeded); + } +}
src/Umbraco.Cms.Api.Management/Security/Authorization/User/BackOfficeRequirement.cs+20 −0 added@@ -0,0 +1,20 @@ +using Microsoft.AspNetCore.Authorization; + +namespace Umbraco.Cms.Api.Management.Security.Authorization.User; + +/// <summary> +/// Authorization requirement for the <see cref="BackOfficeHandler" />. +/// </summary> +public class BackOfficeRequirement : IAuthorizationRequirement +{ + /// <summary> + /// Initializes a new instance of the <see cref="BackOfficeRequirement" /> class. + /// </summary> + /// <param name="requireApproval">Flag for whether back-office user approval is required.</param> + public BackOfficeRequirement(bool requireApproval = true) => RequireApproval = requireApproval; + + /// <summary> + /// Gets a value indicating whether back-office user approval is required. + /// </summary> + public bool RequireApproval { get; } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-hrww-x3fq-xcvhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43377ghsaADVISORY
- github.com/umbraco/Umbraco-CMS/commit/72bef8861d94a39d5cc9530a04c4797b91fcbecfghsax_refsource_MISCWEB
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hrww-x3fq-xcvhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.