5.3
CVE-2025-24011
- EPSS 1.45%
- Veröffentlicht 21.01.2025 16:15:14
- Zuletzt bearbeitet 20.02.2025 16:44:29
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginUmbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Umbraco ≫ Umbraco Cms Version >= 14.0.0 < 14.3.2
Umbraco ≫ Umbraco Cms Version >= 15.0.0 < 15.1.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.45% | 0.7 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-203 Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382
https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999