Lucene search

GoogleOSV:GHSA-77GJ-CRHP-3GVX

HistoryAug 20, 2024 - 6:25 p.m.

Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

2024-08-2018:25:15

Google

osv.dev

umbraco cms

sensitive information

error message

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Impact

Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode.

Explanation of the vulnerability

Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled.

E.g. when paging with negative numbers in some apis

References

github.com/umbraco/Umbraco-CMS

github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004

github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx

nvd.nist.gov/vuln/detail/CVE-2024-43376

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Related for OSV:GHSA-77GJ-CRHP-3GVX