Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03N2dqLWNyaHAtM2d2eM4AA-zy
Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information
Impact
Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.
Explanation of the vulnerability
Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled.
E.g. when paging with negative numbers in some apis
Permalink: https://github.com/advisories/GHSA-77gj-crhp-3gvxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03N2dqLWNyaHAtM2d2eM4AA-zy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 2 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-77gj-crhp-3gvx, CVE-2024-43376
References:
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx
- https://nvd.nist.gov/vuln/detail/CVE-2024-43376
- https://github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004
- https://github.com/advisories/GHSA-77gj-crhp-3gvx
Blast Radius: 1.0
Affected Packages
nuget:Umbraco.Cms.Api.Management
Dependent packages: 11Dependent repositories: 0
Downloads: 85,719 total
Affected Version Ranges: >= 14.0.0, < 14.1.2
Fixed in: 14.1.2
All affected versions: 14.0.0, 14.1.0, 14.1.1
All unaffected versions: 14.1.2, 14.2.0, 14.3.0, 14.3.1, 15.0.0