Partial fix applied for two separate bugs in the open source software

Security vulnerabilities in Umbraco CMS could lead to account takeover

Vulnerabilities in CMS platform Umbraco could allow an attacker to takeover a user’s account, researchers warn.

Umbraco is a free and popular open source content management system (CMS) provider with more than 730,000 active installations.

In a blog post released yesterday (January 18), researchers from AppCheck announced they had found two separate vulnerabilities, an application URL overwrite (CVE-2022-22690) and a persistent password reset bug (CVE-2022-22691).

According to researchers, the two security issues could be exploited to enable a malicious actor to take over an account.


Umbraco CMS uses a configuration named ‘ApplicationUrl’, which is used whenever application code needs to build a URL pointing back to the site. For example, when a user resets their password, the application provides a password reset URL.

In Umbraco versions less than 9.2.0, if the application URL is not specifically configured, an attacker can manipulate this value and point users to a URL of their choosing.

The researchers explained: “The attacker is able to change the URL users receive when resetting their password so that it points to the attacker’s server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover.”

Read more of the latest open source software news

The second issue is present when a user resets their password. A URL is created containing the password reset token that the user then clicks to configure a new password.

However, because this URL is built using the vulnerable ApplicationUrl and can therefore be controlled by the attacker, the code below is called, so that when the user resets their password, the Current.RuntimeState.ApplicationUrl variable contains the attacker controlled URL, researchers explained.

Fixes issued

After being alerted to the security vulnerabilities, Umbraco released fixes to help protect users from exploitation.

The password reset and user invites no longer use the cached ApplicationUrl. If no UmbracoApplicationUrl is configured, the value is enumerated again to use the hostname of the request invoking the password reset.

A health check process also now warns the administrator that the UmbracoApplicationUrl is not configured and recommends they do so. Once set, none of the flaws described in this post are exploitable.

However, wrote the researchers, whilst the “partial fix” improves the situation and removes the most critical aspect of this vulnerability, there are still some areas that remain vulnerable.

“The password reset process could be invoked on behalf of the user with a malicious hostname set,” the blog post explains.

“The URL to reset the password is poisoned as before, however the user receives the email unexpectedly which would lower the likelihood of a successful attack (CVE-2022-22691).”

Some components are also not covered by the fix such as the Content Notifications, Healthcheck Notifications, and the Keep-Alive task.

Users should update to version 9.2.0 or higher. The Daily Swig has reached out to Umbraco to determine whether a complete fix will be released and will update this article accordingly.

RECOMMENDED Chrome to bolster CSRF protections with CORS preflight checks on private network requests