CVE-2024-48926
📋 TL;DR
Umbraco CMS has an insufficient session expiration vulnerability where the logout page displays a session timeout message approximately 30 seconds before the server session actually expires. This affects Umbraco Backoffice users on vulnerable versions, potentially allowing attackers to access sessions users believe have been terminated.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
Umbraco Cms by Umbraco
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
An attacker could hijack an active Backoffice session during the 30-second window after a user sees the logout message, gaining administrative access to the CMS.
Likely Case
Minimal impact in most environments due to the narrow time window and requirement for attacker proximity to user session, but could enable unauthorized CMS access if exploited.
If Mitigated
With proper network segmentation and access controls, risk is minimal as the attack requires specific timing and access to session tokens.
🎯 Exploit Status
Exploitation requires timing attacks within a 30-second window and access to session tokens/cookies. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.5.2, 10.8.7, or 8.18.15 depending on your branch
Vendor Advisory: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm
Restart Required: Yes
Instructions:
1. Identify your Umbraco version. 2. Upgrade to the patched version for your branch: 13.x → 13.5.2, 10.x → 10.8.7, 8.x → 8.18.15. 3. Restart the application/IIS. 4. Test logout functionality.
🔧 Temporary Workarounds
Manual Session Invalidation
allImplement custom logout logic that immediately invalidates server sessions when users initiate logout.
Custom code modification required - no single command
Reduce Session Timeout
allConfigure shorter session timeout values to minimize the vulnerable window.
Modify web.config or appsettings.json session timeout settings
🧯 If You Can't Patch
- Implement strict network access controls to limit Backoffice access to trusted IPs only
- Enforce manual logout procedures where users must close browsers completely after logging out
🔍 How to Verify
Check if Vulnerable:
Check Umbraco version in Settings > Help > About in Backoffice, or examine web.config/appsettings.json version metadata.Check Version:
No single command - check via Backoffice UI or examine application files for version info.Verify Fix Applied:
After patching, test logout: log in, wait for timeout message, then attempt Backoffice actions within 30 seconds - should be properly logged out.📡 Detection & Monitoring
Log Indicators:
- Multiple successful Backoffice logins from same user in quick succession
- Session activity continuing after logout events
Network Indicators:
- Unusual timing of Backoffice requests around logout events
SIEM Query:
source="umbraco" AND (event="logout" OR event="session_timeout") | stats count by user, ip within 30s