Advisories for Nuget/Umbraco.Cms.Web.BackOffice package

Umbraco have an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice, before the vulnerability is exposed.

Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical.

Umbraco is a ASP.NET CMS. Under rare conditions a restart of Umbraco can allow unauthorized users access to admin-level permissions. This vulnerability was patched in versions 10.6.1, 11.4.2 and 12.0.1.