Main Vulnerability Database Vulnerabilities #VU130183

Improper access control in Umbraco CMS - CVE-2023-37267

Published: July 13, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU130183

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37267

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Umbraco CMS

Software vendor:
Umbraco

Description

The vulnerability allows a remote attacker to gain admin-level access to the backoffice.

The vulnerability exists due to improper access control in the backoffice installation mode when Umbraco is restarted while the database is unavailable and then the connection is re-established. A remote attacker can cause the application to boot into installation mode and reset admin credentials to gain admin-level access to the backoffice.

User interaction is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-h8wc-r4jh-mg7m

Improper access control in Umbraco CMS - CVE-2023-37267

Description

Remediation

External links

Please verify you're human