CVE-2025-24011

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382	Patch
https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07	Patch
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:umbraco:umbraco_cms::::::::
	cpe:2.3:a:umbraco:umbraco_cms::::::::

History

20 Feb 2025, 16:44

Type	Values Removed	Values Added
CWE		CWE-203
First Time		Umbraco Umbraco umbraco Cms
Summary		(es) Umbraco es un sistema de gestión de contenido .NET sistema gratuito y de código abierto. A partir de la versión 14.0.0 y antes de las versiones 14.3.2 y 15.1.2, es posible determinar si existe una cuenta en función de un análisis de los códigos de respuesta y el tiempo de las respuestas de la API de gestión de Umbraco. Las versiones 14.3.2 y 15.1.2 contienen un parche. No se conocen workarounds disponibles.
References	~~() https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382 -~~	() https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382 - Patch
References	~~() https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07 -~~	() https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07 - Patch
References	~~() https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999 -~~	() https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999 - Vendor Advisory
CPE		cpe:2.3:a:umbraco:umbraco_cms::::::::

21 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-21 16:15

Updated : 2025-02-20 16:44

NVD link : CVE-2025-24011

Mitre link : CVE-2025-24011

CVE.ORG link : CVE-2025-24011

JSON object : View

Products Affected

umbraco

umbraco_cms

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-203

Observable Discrepancy

{"id": "CVE-2025-24011", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-01-21T16:15:14.760", "references": [{"url": "https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Umbraco es un sistema de gesti\u00f3n de contenido .NET sistema gratuito y de c\u00f3digo abierto. A partir de la versi\u00f3n 14.0.0 y antes de las versiones 14.3.2 y 15.1.2, es posible determinar si existe una cuenta en funci\u00f3n de un an\u00e1lisis de los c\u00f3digos de respuesta y el tiempo de las respuestas de la API de gesti\u00f3n de Umbraco. Las versiones 14.3.2 y 15.1.2 contienen un parche. No se conocen workarounds disponibles."}], "lastModified": "2025-02-20T16:44:29.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D80F7E9-B08B-4634-87DB-72C6772B3458", "versionEndExcluding": "14.3.2", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98EFFDE3-BE84-4F6C-B28B-42EE448FA462", "versionEndExcluding": "15.1.2", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

5.3 /10