Umbraco User Enumeration Vulnerability via Management API Timing and Response Analysis

A vulnerability in Umbraco CMS versions 14.0.0 prior to 14.3.2 and 15.1.2 allows for user enumeration through the management API. This is achieved by analyzing response codes and the timing of API replies, which can indicate the existence of an account. The vulnerability arises because the login endpoint can be manipulated to create a consistent delay in responses for failed login attempts, while successful logins are processed immediately. This discrepancy can be exploited to infer whether a username exists in the system.

Impact

Exploitation of this vulnerability could lead to unauthorized users being able to determine the existence of accounts within the Umbraco CMS management API, potentially facilitating further attacks such as password guessing or phishing.

Reproduction

To reproduce this vulnerability, send login requests to the Umbraco management API's login endpoint. Monitor the response times and status codes. Failed login attempts can be observed to take longer due to a deliberate delay introduced by the API, while successful logins are processed without such delays. This timing difference can be used to infer the existence of accounts.

Remediation

Users can upgrade to Umbraco versions 14.3.2 or 15.1.2, where this vulnerability has been patched.