Researcher identified in Umbraco CMS — privilege escalation vulnerability allowing attackers to access resources which are normally accessible only by higher-privileged users.
Umbraco CMS — CVE-2020-29454
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
Security researcher from Trustwave addressed a security vulnerability in Umbraco CMS – privilege escalation vulnerability.
However, issue in the core administrative screens which allow a low privileged user to access various resources otherwise limited to higher privileged users, according to Trustwave SpiderLabs Security Advisory.
The issue exists in an API endpoint which does not properly check the user’s authorization prior to returning results found in the application’s logging section.
In addition, The affected endpoint paths include the following:
This log data contains whatever may have been inserted into the application logs per configuration (here, Information level) or custom exception handling routines.
Note that the risk of the information leak will be contextualized based off what is actually logged by default or by whatever additional logging the application maintainer has decided to add.
For example, custom logging of a failed authentication routine could potentially leak usernames and passwords to the log.
Version affected: Umbraco CMS Prior to 8.10.0
Upgrade to Umbraco CMS 8.10.0 or the latest stable version.
Also Trustwave mentioned that has not verified the fixes.