Primary

Context

Umbraco Password Requirement Disclosure Vulnerability

Vulnerability

Patched

A vulnerability exists in Umbraco CMS versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. It allows the retrieval of information about configured password requirements through an anonymously authenticated endpoint. While the exposed information is limited, it could potentially aid someone in brute-forcing a user's password. This vulnerability was not present in Umbraco versions 7, 8, 14 or higher.

Impact

Exploitation of this vulnerability could assist in brute-force attacks by disclosing information about password complexity requirements, potentially making it easier to guess or derive user passwords.

Remediation

Users can upgrade to Umbraco versions 10.8.11 or 13.9.2 to address this vulnerability.

Added: Jun 24, 2025, 6:24 PM

Updated: Jun 24, 2025, 6:24 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

9.0

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

9.0

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Umbraco Password Requirement Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Umbraco

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating