CVE-2025-27601

MEDIUM EPSS 21.5%
Published Mar 11, 20251y ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Mar 11, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
21.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-285
CWE-863 Incorrect Authorization Authorization

Affected Products 2

VendorProductVersionRange
umbracoumbraco_cms* <14.3.3
umbracoumbraco_cms*≥15.0.0  –  <15.2.3

References 3

  • github.com https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd
    Patch
  • github.com https://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c
    Patch
  • github.com https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-6ffg-mjg7-585x
    Third Party Advisory

Remediation

  • github.com https://github.com/umbraco/Umbraco-CMS/commit/d9fb6df16e9adf8656181cac8497fc5ba23321cd
    Patch
  • github.com https://github.com/umbraco/Umbraco-CMS/commit/ebb6a580dc1da2c772a99838dc7b4660bf77eb9c
    Patch