Lucene search

GitHub_MVULNRICHMENT:CVE-2024-43376

HistoryAug 20, 2024 - 2:40 p.m.

CVE-2024-43376 Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

2024-08-2014:40:20

CWE-209

GitHub_M

github.com

umbraco

asp.net

management api

sensitive information

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

0.001

Percentile

17.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.

CNA Affected

[
  {
    "vendor": "umbraco",
    "product": "Umbraco-CMS",
    "versions": [
      {
        "status": "affected",
        "version": ">= 14.0.0, < 14.1.2"
      }
    ]
  }
]

References

github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004

github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvx

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

0.001

Percentile

17.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-43376