CVE-2025-24011

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-24011

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24011.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-24011

Aliases

GHSA-hmg4-wwm5-p999

Published

2025-01-21T15:27:30.090Z

Modified

2025-12-05T08:53:07.819956Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Umbraco CMS Vulnerable to User Enumeration Feasible Based On Management API Timing and Response Codes

Details

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24011.json"
}

References

Affected packages

Git / github.com/umbraco/umbraco-cms

Affected ranges

Type

GIT

Repo

https://github.com/umbraco/umbraco-cms

Events

Introduced

8685c7d64a1c597983cfb82e1bd1d269d22e4508

Fixed

abc312c9b45440c0f311dc95354db0949dbf9808

Database specific

{
    "versions": [
        {
            "introduced": "14.0.0"
        },
        {
            "fixed": "14.3.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/umbraco/umbraco-cms

Events

Introduced

76ed1707537e8f0dcf13ae7a84d2af60d1aa1816

Fixed

559c6c9f312df1d6eb1bde82c4b81c0896da6382

Database specific

{
    "versions": [
        {
            "introduced": "15.0.0"
        },
        {
            "fixed": "15.1.2"
        }
    ]
}

Affected versions

13.*

13.5.0-rc

release-10.*

release-10.8.6

release-12.*

release-12.3.10

release-13.*

release-13.3.0

release-13.3.1

release-13.3.2

release-13.4.0

release-13.4.0-rc

release-13.4.0-rc2

release-13.4.1

release-13.5.0

release-14.*

release-14.0.0

release-14.1.0

release-14.1.0-rc

release-14.1.0-rc2

release-14.1.1

release-14.1.2

release-14.2.0

release-14.2.0-rc

release-14.2.0-rc2

release-14.3.0

release-14.3.0-rc

release-14.3.1

release-15.*

release-15.0.0

release-15.1.0

release-15.1.0-rc

release-15.1.0-rc2

release-15.1.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24011.json"