Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available.
Weakness
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Extended Description
Access control involves the use of several protection mechanisms such as:
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses:
Potential Mitigations
- Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/19.html
- https://cwe.mitre.org/data/definitions/441.html
- https://cwe.mitre.org/data/definitions/478.html
- https://cwe.mitre.org/data/definitions/479.html
- https://cwe.mitre.org/data/definitions/502.html
- https://cwe.mitre.org/data/definitions/503.html
- https://cwe.mitre.org/data/definitions/536.html
- https://cwe.mitre.org/data/definitions/546.html
- https://cwe.mitre.org/data/definitions/550.html
- https://cwe.mitre.org/data/definitions/551.html
- https://cwe.mitre.org/data/definitions/552.html
- https://cwe.mitre.org/data/definitions/556.html
- https://cwe.mitre.org/data/definitions/558.html
- https://cwe.mitre.org/data/definitions/562.html
- https://cwe.mitre.org/data/definitions/563.html
- https://cwe.mitre.org/data/definitions/564.html
- https://cwe.mitre.org/data/definitions/578.html