Cyber Security

Security vulnerabilities in Umbraco CMS could lead to account takeover

Vulnerabilities in CMS platform Umbraco could allow an attacker to takeover a user’s account, researchers warn.

Umbraco is a free and popular open source content management system (CMS) provider with more than 730,000 active installations.

In a blog post released yesterday (January 18), researchers from AppCheck announced they had found two separate vulnerabilities, an application URL overwrite (CVE-2022-22690) and a persistent password reset bug (CVE-2022-22691).

According to researchers, the two security issues could be exploited to enable a malicious actor to take over an account.

Vulnerabilities

Umbraco CMS uses a configuration named ‘ApplicationUrl’, which is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password, the application provides a password reset URL.

In Umbraco versions less than 9.2.0, if the application URL is not specifically configured, an attacker can manipulate this value and point users to a URL of their choosing.

The researchers explained: “The attacker is able to change the URL users receive when resetting their password so that it points to the attacker’s server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.”

The second issue is present when a user resets their password. A URL is created containing the password reset token that the user then clicks to configure a new password.

However, because this URL is built using the vulnerable ApplicationUrl and can therefore be controlled by the attacker, the code below is called, so that when the user resets their password, the Current.RuntimeState.ApplicationUrl variable contains the attacker controlled URL, researchers explained.

Fixes issued

After being alerted to the security vulnerabilities, Umbraco released fixes to help protect users from exploitation.

The password reset and user invites no longer use the cached ApplicationUrl. If no UmbracoApplicationUrl is configured, the value is enumerated again to use the hostname of the request invoking the password reset.

A health check process also now warns the administrator that the UmbracoApplicationUrl is not configured and recommends they do so. Once set, none of the flaws described in this post are exploitable.

However, wrote the researchers, whilst the “partial fix” improves the situation and removes the most critical aspect of this vulnerability, there are still some areas that remain vulnerable.

“The password reset process could be invoked on behalf of the user with a malicious hostname set,” the blog post explains.

“The URL to reset the password is poisoned as before, however the user receives the email unexpectedly which would lower the likelihood of a successful attack (CVE-2022-22691).”

Advertisement. Scroll to continue reading.

Some components are also not covered by the fix such as the Content Notifications, Healthcheck Notifications, and the Keep-Alive task.

Users should update to version 9.2.0 or higher. The Daily Swig has reached out to Umbraco to determine whether a complete fix will be released and will update this article accordingly.

Source: https://portswigger.net/daily-swig/security-vulnerabilities-in-umbraco-cms-could-lead-to-account-takeover

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version