Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints

Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

访问控制不恰当

Umbraco Engage 安全漏洞

Umbraco Engage是丹麦Umbraco公司的一个数字化体验平台的扩展插件。 Umbraco Engage 16.2.1之前版本和17.1.1之前版本存在安全漏洞，该漏洞源于某些API端点未强制执行身份验证或授权检查，可能导致未经验证的攻击者通过枚举标识符检索敏感数据。

N/A

N/A