account takeover vulnerabilities cve 2022 22690 cve 2022 22691

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Mike 16 posts 108 karma points

Jan 20, 2022 @ 13:33

0

Account Takeover Vulnerabilities: CVE-2022-22690 & CVE-2022-22691

Can these vulnerabilities be confirmed by Umbraco?: CVE-2022-22690 & CVE-2022-22691 https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/

It seems like this could be a BIG problem depending on your configuration.

If confirmed, we need some documentation if it was indeed fixed in 9.2.0 and confirmation on which versions (including major versions) are impacted. Not to mention a suitable notification being sent out, or at minimum, a post on https://umbraco.com/blog/category/security/

Copy Link
Sebastiaan Janssen 5061 posts 15544 karma points MVP admin hq

Jan 20, 2022 @ 13:59

100

Thanks Mike for your question, we have just blogged about this and opened a dedicated forum topic, please add additional questions here: https://our.umbraco.com/forum/using-umbraco-and-getting-started/108070

Copy Link
Paul 184 posts 646 karma points

Jan 20, 2022 @ 15:10

0

Thanks for that Seb, good to know.

Thankfully we have umbracoApplicationUrl set on all instances and they're nearly all on Azure App Services too.

Copy Link
is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies