CVE-2024-43376 Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

2024-08-2014:40:20

CWE-209

GitHub_M

www.cve.org

umbraco

asp.net

management api

stack trace

debug mode

vulnerability

14.1.2

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.

CNA Affected

[
  {
    "vendor": "umbraco",
    "product": "Umbraco-CMS",
    "versions": [
      {
        "version": ">= 14.0.0, < 14.1.2",
        "status": "affected"
      }
    ]
  }
]