Primary

Context

Umbraco CMS User Enumeration Vulnerability via Login Timing Analysis

Vulnerability

Patched

A user enumeration vulnerability has been identified in Umbraco CMS, a .NET content management system. This issue affects versions through 10.8.9 and 13.8.0. The vulnerability arises from the ability to analyze the timing of post-login API responses, which can reveal whether a specific account exists. This issue has been addressed in versions 10.8.10 and 13.8.1.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can determine the existence of user accounts based on response timing analysis during the login process.

Reproduction

To reproduce this vulnerability, send login requests to the Umbraco CMS authentication endpoint. Monitor the response times for each request. Accounts that exist will typically result in a faster response compared to those that do not, allowing for the inference of valid usernames.

Remediation

Users can upgrade to Umbraco CMS versions 10.8.10 or 13.8.1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.6

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

8.6

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Umbraco CMS User Enumeration Vulnerability via Login Timing Analysis

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Umbraco

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating