Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1obWc0LXd3bTUtcDk5Oc4ABDo8

Moderate EPSS: 0.13877% (0.94048 Percentile) EPSS:
Permalink JSON

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Affected Packages Affected Versions Fixed Versions
nuget:Umbraco.Cms
PURL: pkg:nuget/Umbraco.Cms
>= 15.0.0, < 15.1.2, >= 14.0.0, < 14.3.2 15.1.2, 14.3.2
46 Dependent packages
0 Dependent repositories
4,035,543 Downloads total

Affected Version Ranges

All affected versions

14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.3.0, 14.3.1, 15.0.0, 15.1.0, 15.1.1

All unaffected versions

9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 10.8.8, 10.8.9, 10.8.10, 10.8.11, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.3.10, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.3.1, 13.3.2, 13.4.0, 13.4.1, 13.5.0, 13.5.1, 13.5.2, 13.5.3, 13.6.0, 13.7.0, 13.7.1, 13.7.2, 13.8.0, 13.8.1, 13.9.0, 13.9.1, 13.9.2, 13.9.3, 13.10.0, 14.3.2, 14.3.3, 14.3.4, 15.1.2, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.3.0, 15.3.1, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 16.0.0, 16.1.0, 16.1.1, 16.2.0

Impact

Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.

Patches

Patched in 14.3.2 and 15.1.2.

Workarounds

None available.

References:

Identifiers

GHSA-hmg4-wwm5-p999

CVE-2025-24011

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.13877

EPSS Percentile: 0.94048

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/umbraco/Umbraco-CMS

Date and time

Published

8 months ago

Updated

5 months ago

API

JSON