CVE-2025-24011

MEDIUM

Umbraco Cms < 14.3.2 - Information Disclosure

Title source: rule

Description

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.

Exploits (1)

nomisec WORKING POC 1 stars

by Puben · poc

https://github.com/Puben/CVE-2025-24011-PoC

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/umbraco/Umbraco-CMS/commit/559c6c9f312df1d6eb1bde82c4b81c0896da6382

[Patch] https://github.com/umbraco/Umbraco-CMS/commit/839b6816f2ae3e5f54459a0f09dad6b17e2d1e07

[Vendor Advisory] https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hmg4-wwm5-p999

Scores

CVSS v3 5.3

EPSS 0.3123

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200 CWE-203

Status published

Affected Products (2)

umbraco/umbraco_cms < 14.3.2

nuget/Umbraco.Cms < 14.3.2NuGet

Timeline

Published Jan 21, 2025

Tracked Since Feb 18, 2026