GHSA-hmg4-wwm5-p999

Source

https://github.com/advisories/GHSA-hmg4-wwm5-p999

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-hmg4-wwm5-p999/GHSA-hmg4-wwm5-p999.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hmg4-wwm5-p999

Aliases

CVE-2025-24011

Published

2025-01-21T21:21:30Z

Modified

2025-01-21T21:42:05.388327Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Details

Impact

Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.

Patches

Will be patched in 14.3.2 and 15.1.2.

Workarounds

None available.

Database specific

{
    "nvd_published_at": "2025-01-21T16:15:14Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:21:30Z"
}

References

Affected packages

NuGet / Umbraco.Cms

Package

Name: Umbraco.Cms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.3.2

Affected versions

14.*

14.0.0

14.1.0-rc

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.2.0-rc

14.2.0-rc2

14.2.0-rc3

14.2.0

14.3.0-rc

14.3.0

14.3.1

NuGet / Umbraco.Cms

Package

Name: Umbraco.Cms; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0

Fixed

15.1.2

Affected versions

15.*

15.0.0

15.1.0-rc

15.1.0-rc2

15.1.0

15.1.1