Lucene search

GitHub Advisory DatabaseGHSA-77GJ-CRHP-3GVX

HistoryAug 20, 2024 - 6:25 p.m.

Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

2024-08-2018:25:15

CWE-209

GitHub Advisory Database

github.com

umbraco cms

error message

sensitive information

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Impact

Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.

Explanation of the vulnerability

Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled.

E.g. when paging with negative numbers in some apis

Affected configurations

Vulners

Node

umbraco.cms.api.managementRange<14.1.2

VendorProductVersionCPE
*umbraco.cms.api.management*cpe:2.3:a:*:umbraco.cms.api.management:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	umbraco.cms.api.management	*	cpe:2.3:a::umbraco.cms.api.management::::::::*

References

github.com/advisories/GHSA-77gj-crhp-3gvx

github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004

github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx

nvd.nist.gov/vuln/detail/CVE-2024-43376

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Related for GHSA-77GJ-CRHP-3GVX