CVE-2024-48926

MEDIUM

Umbraco Cms < 8.18.15 - Insufficient Session Expiration

Title source: rule

Description

Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are. Versions 13.5.2, 10.8,7, and 8.18.15 contain a patch for the issue.

References (1)

[Vendor Advisory] https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fp6q-gccw-7qqm

Scores

CVSS v3 4.2

EPSS 0.0037

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (3)

nuget/Umbraco.CMS 13.0.0 - 13.5.2NuGet

nuget/UmbracoCMS 8.0.0 - 8.18.15NuGet

umbraco/umbraco_cms 8.0 - 8.18.15

Published Oct 22, 2024

Tracked Since Feb 18, 2026