GHSA-wx5h-wqfq-v698
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wx5h-wqfq-v698
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-wx5h-wqfq-v698/GHSA-wx5h-wqfq-v698.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wx5h-wqfq-v698
- Aliases
- Published
- 2025-03-11T15:27:34Z
- Modified
- 2025-03-12T15:11:19.083951Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
- Details
-
Impact
Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to.
Patches
Will be patched in 10.8.9 and 13.7.1
Workarounds
None available.
- Database specific
{ "nvd_published_at": "2025-03-11T16:15:18Z", "cwe_ids": [ "CWE-285", "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-11T15:27:34Z" }- References
-
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
- https://nvd.nist.gov/vuln/detail/CVE-2025-27602
- https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7
- https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d
- https://github.com/umbraco/Umbraco-CMS
Affected packages
NuGet / Umbraco.Cms.Web.Backoffice
Package
- Name
- Umbraco.Cms.Web.Backoffice
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.Cms.Web.Backoffice
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.8.9
Affected versions
9.*
9.0.0-rc001
9.0.0-rc002
9.0.0-rc003
9.0.0-rc004
9.0.0
9.0.1
9.1.0-rc
9.1.0
9.1.1
9.1.2
9.2.0-rc
9.2.0
9.3.0-rc
9.3.0
9.3.1
9.4.0-rc
9.4.0
9.4.1
9.4.2
9.4.3
9.5.0-rc
9.5.0-rc2
9.5.0-rc3
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4
10.*
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0-rc4
10.0.0-rc5
10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
10.8.0
10.8.1
10.8.2
10.8.3
10.8.4
10.8.5
10.8.6
10.8.7
10.8.8
NuGet / Umbraco.Cms.Web.Backoffice
Package
- Name
- Umbraco.Cms.Web.Backoffice
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.Cms.Web.Backoffice
Affected versions
11.*
11.0.0-rc1
11.0.0-rc2
11.0.0-rc3
11.0.0-rc4
11.0.0-rc5
11.0.0-rc6
11.0.0
11.1.0-rc
11.1.0
11.2.0-rc
11.2.0
11.2.1
11.2.2
11.3.0-rc
11.3.0
11.3.1
11.4.0-rc
11.4.0
11.4.1
11.4.2
11.5.0-rc
11.5.0
12.*
12.0.0-rc1
12.0.0-rc2
12.0.0-rc3
12.0.0-rc4
12.0.0-rc5
12.0.0
12.0.1
12.1.0-rc
12.1.0
12.1.1
12.1.2
12.2.0-rc
12.2.0
12.3.0-rc
12.3.0
12.3.1
12.3.2
12.3.3
12.3.4
12.3.5
12.3.6
12.3.7
12.3.8
12.3.9
12.3.10
13.*
13.0.0-rc1
13.0.0-rc2
13.0.0-rc3
13.0.0-rc4
13.0.0-rc5
13.0.0
13.0.1
13.0.2
13.0.3
13.1.0-rc
13.1.0
13.1.1
13.2.0-rc
13.2.0
13.2.1
13.2.2
13.3.0-rc
13.3.0
13.3.1
13.3.2
13.4.0-rc
13.4.0-rc2
13.4.0
13.4.1
13.5.0-rc
13.5.0
13.5.1
13.5.2
13.5.3
13.6.0-rc
13.6.0-rc2
13.6.0
13.7.0-rc
13.7.0