Skip to main content

Umbraco Cms CVE-2024-48925

MEDIUM
Improper Access Control (CWE-284)
2024-10-22 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 22, 2024 - 16:15 nvd
MEDIUM 6.5

DescriptionNVD

Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch.

AnalysisAI

Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. Affected products include: Umbraco Umbraco Cms. Version information: version 14.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2012-10054 CRITICAL POC
9.3 Aug 13

Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx

CVE-2020-9471 HIGH POC
8.8 Mar 16

Umbraco Cloud 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package

CVE-2024-10761 MEDIUM POC
6.9 Nov 04

A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. Rated medium severity (CVSS 6.9), thi

CVE-2024-55488 MEDIUM POC
6.5 Jan 22

A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scrip

CVE-2020-5811 MEDIUM POC
6.5 Dec 30

An authenticated path traversal vulnerability exists during package installation in Umbraco CMS <= 8.9.1 or current, whi

CVE-2020-9472 MEDIUM POC
6.5 Mar 16

Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package f

CVE-2012-1301 CRITICAL
9.8 Apr 13

The FeedProxy.aspx script in Umbraco 4.7.0 allows remote attackers to proxy requests on their behalf via the "url" param

CVE-2025-67288 CRITICAL
10.0 Dec 22

Arbitrary code execution in Umbraco CMS 16.3.3 is claimed via upload of a crafted PDF file that abuses insufficient file

CVE-2023-37267 CRITICAL
9.8 Jul 13

Umbraco is a ASP.NET CMS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authenticat

CVE-2020-5810 MEDIUM POC
5.4 Dec 30

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2020-5809 MEDIUM POC
5.4 Dec 30

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. Rated medium severity (CVSS 5.4), this vulnerabili

CVE-2021-47776 MEDIUM POC
5.3 Jan 15

Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl par

Share

CVE-2024-48925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy