CVE-2024-43376 – umbraco.cms.api.management

Package

Manager: nuget
Name: umbraco.cms.api.management
Vulnerable Version: >=14.0.0 <14.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00155 pctl0.36777

Details

Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information ### Impact Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. ### Explanation of the vulnerability Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled. E.g. when paging with negative numbers in some apis

Metadata

Created: 2024-08-20T18:25:15Z
Modified: 2024-09-17T16:24:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-77gj-crhp-3gvx/GHSA-77gj-crhp-3gvx.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-77gj-crhp-3gvx
Finding: F037
Auto approve: 1