First published: Wed Apr 24 2024(Updated: )
### Impact Backoffice users can execute arbitrary SQL. ### Explanation of the vulnerability A Backoffice user can modify requests to a particular API endpoint to include SQL which will be executed by the server. ### Affected versions All versions ### Patches Workflow 10.3.9, 12.2.6, 13.0.6, Plumber 10.1.2 ### References [Upgrading Umbraco Workflow](https://docs.umbraco.com/umbraco-workflow/upgrading/upgrading)
Affected Software | Affected Version | How to fix |
---|---|---|
nuget/Plumber.Workflow | <10.1.2 | 10.1.2 |
nuget/Umbraco.Workflow | >=13.0.0-rc1<13.0.6 | 13.0.6 |
nuget/Umbraco.Workflow | >=11.0.0-rc1<12.2.6 | 12.2.6 |
nuget/Umbraco.Workflow | <10.3.9 | 10.3.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.