CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24011: Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes

5.3 CVSS

Description

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.

Classification

CVE ID: CVE-2025-24011

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

Affected Products

Vendor: umbraco

Product: Umbraco-CMS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.98% (scored less or equal to compared to others)

EPSS Date: 2025-02-19 (when was this score calculated)

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999
https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382
https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07

Timeline

2025-01-21 22:15:21 UTC
Github Advisory Database (Nuget)

[Umbraco.Cms] Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
2025-01-22 00:30:54 UTC
CVE

Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes