CVE-2019-13957 – This is a SQL injection vulnerability in Umbrac... (How to Fix)

Q: What is the severity of CVE-2019-13957?

CVE-2019-13957 has a CVSS score of 9.8 (CRITICAL). This is a SQL injection vulnerability in Umbraco CMS that allows attackers to execute arbitrary SQL commands through the backoffice API. It affects Umbraco 7.3.8 installations with backoffice access, potentially compromising the entire database.

📋 TL;DR

This is a SQL injection vulnerability in Umbraco CMS that allows attackers to execute arbitrary SQL commands through the backoffice API. It affects Umbraco 7.3.8 installations with backoffice access, potentially compromising the entire database.

💻 Affected Systems

Products:

Umbraco CMS

Versions: 7.3.8 specifically

Operating Systems: All platforms running Umbraco

Default Config Vulnerable: ⚠️ Yes

Notes: Requires backoffice access, but default installations include backoffice functionality.

📦 What is this software?

Umbraco by Umbraco

View all CVEs affecting Umbraco →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation to admin, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, data manipulation, and potential backdoor installation through SQL injection.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted.

🌐 Internet-Facing: HIGH if backoffice is exposed to internet, as SQL injection can be exploited remotely.

🏢 Internal Only: MEDIUM if backoffice is internal only, requiring internal network access but still vulnerable to insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires backoffice authentication, but SQL injection payloads are well-documented and easy to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.9 and later

Vendor Advisory: https://our.umbraco.com/download/releases/738/

Restart Required: Yes

Instructions:

1. Backup your Umbraco installation and database. 2. Download Umbraco 7.3.9 or later from official site. 3. Replace affected files. 4. Restart application/web server. 5. Verify fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize nodeName parameter before processing

Implement parameterized SQL queries in GetInpectSearch method
Add input validation: if (!IsValidInput(nodeName)) return BadRequest();

Access Restriction

all

Restrict access to backoffice/PageWApprove/PageWApproveApi endpoint

Add IP whitelisting to web.config or application firewall rules
Implement additional authentication requirements for the endpoint

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test the /umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch endpoint with SQL injection payloads in nodeName parameter

Check Version:

Check Umbraco version in /umbraco/config/splashes/booting.aspx or web.config

Verify Fix Applied:

After patching, test the same endpoint with SQL injection payloads and verify no database errors or unexpected behavior

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database queries from backoffice API
Multiple failed login attempts followed by API access

Network Indicators:

SQL keywords in HTTP POST parameters to backoffice endpoints
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch" AND (param="*SELECT*" OR param="*UNION*" OR param="*INSERT*" OR param="*DELETE*")

📊 Metadata

CVE ID: CVE-2019-13957

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 2, 2019

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/shiham101/d1de44d1dcf2c33d401ef2f8cbb04f9f Third Party Advisory
https://our.umbraco.com/download/releases/738/ Vendor Advisory
https://gist.github.com/shiham101/d1de44d1dcf2c33d401ef2f8cbb04f9f Third Party Advisory
https://our.umbraco.com/download/releases/738/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13957, you might also want to check these: