CVE-2024-43376
Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information
4.3
MEDIUM
CVSS 3.1
EPSS 0.49%
Description
### Impact Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. ### Explanation of the vulnerability Management API endpoints leaked stack traces in case of Internal server errors, no matter if the debug setting was disabled. E.g. when paging with negative numbers in some apis
How to fix CVE-2024-43376
To remediate CVE-2024-43376, upgrade the affected package to a fixed version below.
- —upgrade to 14.1.2 or later
Is CVE-2024-43376 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 14.0.0, < 14.1.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |