CVE-2024-28868

Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d	Patch
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq	Vendor Advisory
https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d	Patch
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*

History

12 Feb 2025, 15:23

Type	Values Removed	Values Added
First Time		Umbraco Umbraco umbraco Cms
CPE		cpe:2.3:a:umbraco:umbraco_cms::::::::
CWE		CWE-203
References	~~() https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d -~~	() https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d - Patch
References	~~() https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq -~~	() https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq - Vendor Advisory

Information

Published : 2024-03-20 20:15

Updated : 2025-02-12 15:23

NVD link : CVE-2024-28868

Mitre link : CVE-2024-28868

CVE.ORG link : CVE-2024-28868

JSON object : View

Products Affected

umbraco

umbraco_cms

CWE

CWE-204

Observable Response Discrepancy

CWE-203

Observable Discrepancy

{"id": "CVE-2024-28868", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-03-20T20:15:09.110", "references": [{"url": "https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44d", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpq", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-204"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins."}, {"lang": "es", "value": "Umbraco es un sistema de gesti\u00f3n de contenidos ASP.NET. Umbraco 10 anterior a 10.8.4 con acceso a la pantalla de inicio de sesi\u00f3n nativa es vulnerable a un posible ataque de enumeraci\u00f3n de usuarios. Este problema se solucion\u00f3 en la versi\u00f3n 10.8.5. Como workaround, se puede desactivar la pantalla de inicio de sesi\u00f3n nativa utilizando exclusivamente inicios de sesi\u00f3n externos."}], "lastModified": "2025-02-12T15:23:09.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF8F4945-0845-4C1C-B088-CA288F15583A", "versionEndExcluding": "10.8.5", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}