CVE-2021-47776
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umbraco | cms | 8.14.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) in Umbraco CMS version 8.14.1. It allows attackers to manipulate the 'baseUrl' parameter in several API endpoints (GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss) to make the server perform unauthorized HTTP requests to arbitrary external hosts. The server uses the user-controlled 'baseUrl' to fetch remote content without proper validation, enabling attackers to trigger these unauthorized requests. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to make the Umbraco server send unauthorized requests to external or internal systems. This can lead to internal network scanning, data exfiltration, or further exploitation depending on the internal network configuration and accessible services. Essentially, attackers can leverage this SSRF to gain information about or interact with internal resources that are not normally accessible. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the vulnerable Umbraco CMS endpoints that accept the 'baseUrl' parameter. Specifically, look for unusual or unauthorized requests to the following endpoints: /umbraco/BackOffice/Api/Help/GetContextHelpForPage, /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent, and /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss. You can use network monitoring tools or web server logs to identify requests where the 'baseUrl' parameter points to suspicious or external domains. Example commands to detect such activity include using curl to test the endpoints with a controlled 'baseUrl' parameter or using grep on server logs to find requests containing 'baseUrl'. For instance, a curl command to test one endpoint might be: curl -G 'http://your-umbraco-site/umbraco/BackOffice/Api/Help/GetContextHelpForPage' --data-urlencode 'section=someSection' --data-urlencode 'tree=someTree' --data-urlencode 'baseUrl=https://attacker-controlled-domain'. Additionally, searching logs with a command like: grep 'baseUrl=' /path/to/umbraco/logs/access.log can help identify suspicious requests. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints to trusted users only, such as by implementing IP whitelisting or authentication controls. Additionally, monitor and block outgoing requests from the Umbraco server to untrusted external domains to prevent SSRF exploitation. Applying the latest security patches or upgrading to a non-vulnerable version of Umbraco CMS, if available, is recommended. Since the vulnerability affects version 8.14.1, upgrading to a later version where this issue is fixed would be the most effective mitigation. If an upgrade is not immediately possible, consider implementing web application firewall (WAF) rules to block requests containing suspicious 'baseUrl' parameters targeting these endpoints. [1, 2]