CVE-2025-27601

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

CVSS 4.3 MEDIUMEPSS 0.3%CWE-285 CWE-863

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 mar 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Productos afectados

umbraco · Umbraco-CMS

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd https://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585x