GHSA-77gj-crhp-3gvx

Suggest an improvement
Source
https://github.com/advisories/GHSA-77gj-crhp-3gvx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-77gj-crhp-3gvx/GHSA-77gj-crhp-3gvx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-77gj-crhp-3gvx
Aliases
Published
2024-08-20T18:25:15Z
Modified
2024-09-17T16:35:18.164467Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information
Details

Impact

Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.

Explanation of the vulnerability

Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled.

E.g. when paging with negative numbers in some apis

References

Affected packages

NuGet / Umbraco.Cms.Api.Management

Package

Name
Umbraco.Cms.Api.Management
View open source insights on deps.dev
Purl
pkg:nuget/Umbraco.Cms.Api.Management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.1.2

Affected versions

14.*

14.0.0
14.1.0-rc
14.1.0-rc2
14.1.0
14.1.1