Umbraco 10 Vulnerable to User Enumeration Attack
CVE-2024-28868

5.3MEDIUM

Key Information:

Vendor: Umbraco
Status: Umbraco-cms
Vendor: CVE Published:; 20 March 2024

What is CVE-2024-28868?

Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins.

Affected Version(s)

Umbraco-CMS >= 10.0.0, < 10.8.5

References

https://github.com/umbraco/Umbraco-CMS/security/advisorie...

x_refsource_CONFIRM

https://github.com/umbraco/Umbraco-CMS/commit/7e1d1a19680...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2024
Vulnerability Reserved
Mar 11, 2024