Information Disclosure in Umbraco CMS Affects User Password Security
CVE-2025-49147
What is CVE-2025-49147?
Umbraco, a free and open-source .NET content management system, is affected by an information disclosure vulnerability that impacts versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. An attacker can exploit this vulnerability by sending a request to an anonymously authenticated endpoint, which may reveal some details about the password requirements configured in the system. Although the exposed information is limited, it can provide attackers with clues that could assist in brute-force attacks on user passwords. This vulnerability does not exist in Umbraco versions 7 or 8, nor in those higher than 14. The issue has been addressed in versions 10.8.11 and 13.9.2.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Umbraco-CMS >= 10.0.0, < 10.8.111 < 10.0.0, 10.8.111
Umbraco-CMS >= 13.0.0, < 13.9.2 < 13.0.0, 13.9.2
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved