https://discord.umbraco.com logo
Join Discord
Powered by
Security Advisory, January 21, 2025: Sec...
# news
s
c
Who's waiting for the subsequent patches in the next day or so? 🙈
l
Yes
😛
a
For v10/v13, there's only 1 vulnerability and it only a vulnerability for users who are authenticated. So as long as you trust your users then there shouldn't be much concern or urgency to rush around to upgrade all your websites. Would you say that's a valid assumption?
s
I think the management api issue is in v13 too.
c
s
ah cool, got management API confused with delivery API 🙂
For the v10/v13 one, one could imagine an editor being sent a preview link that would inject malicious code into the preview. I'm not wise enough to come up with such link myself, but it seems the complete url is injected into the page, so theoretically you could put scripts in the url, and have them executed once a user in preview mode visits the link.
s
That's exactly it. And an attacker doesn't necessarily need backoffice access to construct such a link, but they would need to guess or otherwise obtain a valid node ID.
Not exactly (see above posts). It is an attack targeted at authenticated users, rather than initiated by an authenticated user, if that makes sense
s
s
Yeah so you would then need to catch a user while in preview, or convince them to enter preview mode somehow, then visit a link.
All in all I agree it's not massively urgent, due to difficulty in exploitation, requiring several user actions, etc
But do patch please 🥹
3 Views
PreviousNext
Powered by