GHSA-pgvc-6h2p-q4f6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pgvc-6h2p-q4f6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-pgvc-6h2p-q4f6/GHSA-pgvc-6h2p-q4f6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pgvc-6h2p-q4f6
- Aliases
-
- CVE-2025-49147
- Published
- 2025-06-24T19:36:32Z
- Modified
- 2025-06-24T20:12:11.651087Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Umbraco CMS disclosure of configured password requirements
- Details
-
Impact
Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password.
The vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.
Patches
Patched in 10.8.11 and 13.9.2
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-497" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-06-24T19:36:32Z" }- References
-
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6
- https://nvd.nist.gov/vuln/detail/CVE-2025-49147
- https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e
- https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c
- https://github.com/umbraco/Umbraco-CMS
Affected packages
NuGet / Umbraco.Cms
Package
- Name
- Umbraco.Cms
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.Cms
Affected versions
10.*
10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
10.8.0
10.8.1
10.8.2
10.8.3
10.8.4
10.8.5
10.8.6
10.8.7
10.8.8
10.8.9
10.8.10
NuGet / Umbraco.Cms
Package
- Name
- Umbraco.Cms
- View open source insights on deps.dev
- Purl
- pkg:nuget/Umbraco.Cms
Affected versions
13.*
13.0.0
13.0.1
13.0.2
13.0.3
13.1.0-rc
13.1.0
13.1.1
13.2.0-rc
13.2.0
13.2.1
13.2.2
13.3.0-rc
13.3.0
13.3.1
13.3.2
13.4.0-rc
13.4.0-rc2
13.4.0
13.4.1
13.5.0-rc
13.5.0
13.5.1
13.5.2
13.5.3
13.6.0-rc
13.6.0-rc2
13.6.0
13.7.0-rc
13.7.0
13.7.1
13.7.2
13.8.0-rc
13.8.0
13.8.1
13.9.0-rc
13.9.0
13.9.1