GHSA-6ffg-mjg7-585x

Source

https://github.com/advisories/GHSA-6ffg-mjg7-585x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6ffg-mjg7-585x/GHSA-6ffg-mjg7-585x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6ffg-mjg7-585x

Aliases

CVE-2025-27601

Published

2025-03-11T15:27:28Z

Modified

2025-03-12T15:10:23.278212Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

Details

Impact

An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section.

Patches

Will be patched in 14.3.3 and 15.2.3.

Workarounds

None available.

Database specific

{
    "nvd_published_at": "2025-03-11T16:15:17Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T15:27:28Z"
}

References

Affected packages

NuGet / Umbraco.Cms.Api.Management

Package

Name: Umbraco.Cms.Api.Management; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms.Api.Management

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0-rc1

Fixed

15.2.3

Affected versions

15.*

15.0.0-rc1

15.0.0-rc2

15.0.0-rc3

15.0.0-rc4

15.0.0

15.1.0-rc

15.1.0-rc2

15.1.0

15.1.1

15.1.2

15.2.0-rc

15.2.0

15.2.1

15.2.2

Database specific

{
    "last_known_affected_version_range": "<= 15.2.2"
}

NuGet / Umbraco.Cms.Api.Management

Package

Name: Umbraco.Cms.Api.Management; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.Cms.Api.Management

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.3.3

Affected versions

14.*

14.0.0-rc1

14.0.0-rc2

14.0.0-rc3

14.0.0-rc4

14.0.0-rc5

14.0.0

14.1.0-rc

14.1.0-rc2

14.1.0

14.1.1

14.1.2

14.2.0-rc

14.2.0-rc2

14.2.0-rc3

14.2.0

14.3.0-rc

14.3.0

14.3.1

14.3.2

Database specific

{
    "last_known_affected_version_range": "<= 14.3.2"
}