CVE-2021-47776
📋 TL;DR
CVE-2021-47776 is a server-side request forgery (SSRF) vulnerability in Umbraco CMS that allows attackers to manipulate baseUrl parameters in dashboard and help controller endpoints. This enables unauthorized server-side requests to external hosts, potentially exposing internal systems or facilitating further attacks. All organizations running vulnerable Umbraco CMS versions are affected.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the SSRF to access internal services, exfiltrate sensitive data, or pivot to internal network resources, potentially leading to full system compromise.
Likely Case
Attackers scan for vulnerable instances and use them to probe internal networks, access metadata services, or interact with internal APIs to gather information.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to denial-of-service against the Umbraco instance or limited information disclosure.
🎯 Exploit Status
Exploit requires authentication to Umbraco CMS, but public exploit code exists on Exploit-DB (ID: 50462)
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v8.14.2 and later
Vendor Advisory: https://our.umbraco.com/
Restart Required: Yes
Instructions:
1. Backup your Umbraco installation and database. 2. Download the latest Umbraco CMS version from releases.umbraco.com. 3. Replace the existing installation files with the updated version. 4. Restart the application pool or web server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement middleware or request filters to validate and sanitize baseUrl parameters before processing
Network Egress Filtering
allConfigure firewall rules to restrict outbound connections from the Umbraco server to only necessary external services
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing suspicious baseUrl parameters
- Restrict access to Umbraco admin interface to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if your Umbraco version is 8.14.1 or earlier. Review application logs for suspicious requests to the affected endpoints with external URLs in parameters.Check Version:
Check the Umbraco version in the admin dashboard or inspect the /umbraco/version endpointVerify Fix Applied:
Verify Umbraco version is 8.14.2 or later. Test that requests with external URLs in baseUrl parameters are rejected or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /umbraco/backoffice/UmbracoApi/Help/GetContextHelpForPage, /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent, or /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss with external URLs in parameters
- Outbound connections from Umbraco server to unexpected external IPs
Network Indicators:
- Unusual outbound HTTP/HTTPS traffic from Umbraco server to external domains not typically accessed
- Requests to internal services (like metadata services) originating from Umbraco server
SIEM Query:
source="umbraco" AND (uri_path="/umbraco/backoffice/UmbracoApi/Help/GetContextHelpForPage" OR uri_path="/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent" OR uri_path="/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss") AND (query_parameters CONTAINS "http://" OR query_parameters CONTAINS "https://")