CVE-2024-48929
📋 TL;DR
This vulnerability in Umbraco CMS allows session persistence after explicit sign-out, meaning users who log out may still have active server sessions. It affects Umbraco 13.x versions before 13.5.2 and 10.x versions before 10.8.7. This impacts all users of affected Umbraco installations.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access to a logged-out user's device could potentially resume the user's session and perform unauthorized actions with the user's privileges.
Likely Case
Users who log out from shared or public computers may leave active sessions that subsequent users could potentially access.
If Mitigated
With proper session timeout configurations and user awareness, the risk is limited to specific scenarios where session persistence is actively exploited.
🎯 Exploit Status
Exploitation requires access to the user's device or session data after logout. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.5.2 for 13.x branch, 10.8.7 for 10.x branch
Vendor Advisory: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wxw9-6pv9-c3xc
Restart Required: Yes
Instructions:
1. Backup your Umbraco installation and database. 2. Update to Umbraco 13.5.2 (for 13.x) or 10.8.7 (for 10.x). 3. Restart the application pool or IIS. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement Session Timeout
allConfigure shorter session timeout values to limit window of opportunity for session reuse
Modify web.config or appsettings.json to set appropriate session timeout values
Force Session Invalidation
allImplement custom logout logic that explicitly invalidates server sessions
Implement custom logout handler that calls Session.Abandon() and clears all session data
🧯 If You Can't Patch
- Implement mandatory session timeout of 15 minutes or less
- Educate users to close browsers completely after logout and avoid using public/shared computers for administrative tasks
🔍 How to Verify
Check if Vulnerable:
Check Umbraco version in Settings > Updates section of Umbraco backoffice or examine web.config/appsettings.json version informationCheck Version:
Check Umbraco backoffice Settings > Updates or examine the UmbracoVersion property in web.configVerify Fix Applied:
After patching, test logout functionality by logging in, logging out, then attempting to access authenticated resources without logging back in📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentication events from same user/IP in quick succession after logout events
- Session ID reuse after logout
Network Indicators:
- HTTP requests with previously logged-out session cookies accessing authenticated endpoints
SIEM Query:
source="umbraco" AND (event="logout" OR event="authentication") | stats count by user, session_id, src_ip | where count > 1