QwikSec

Security Database

CVE

CWE

Training

CVE-2025-27601

Published: Mar 11, 2025

Modified: Mar 11, 2025

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

Vendor	Product	Versions
umbraco	Umbraco-CMS	affected `>= 15.0.0-rc1, < 15.2.3` affected `< 14.3.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585x

x_refsource_CONFIRM

https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd

x_refsource_MISC

https://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.