CVE-2025-24011
21.01.2025, 16:15
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.Enginsight
| Vendor | Product | Version |
|---|---|---|
| umbraco | umbraco_cms | 14.0.0 ≤ 𝑥 < 14.3.2 |
| umbraco | umbraco_cms | 15.0.0 ≤ 𝑥 < 15.1.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.