Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-yhat-ry32-fqf5
Summary
Umbraco CMS disclosure of configured password requirements
Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements.  The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password.

The vulnerability can be found in the supported Umbraco versions 10 and 13.  It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions.
Aliases
0
alias CVE-2025-49147
1
alias GHSA-pgvc-6h2p-q4f6
Fixed_packages
Affected_packages
0
url pkg:nuget/Umbraco.CMS@10.0.0
purl pkg:nuget/Umbraco.CMS@10.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2exh-k5tm-r3cy
1
vulnerability VCID-e5g9-xgrk-eqaf
2
vulnerability VCID-nhwe-aq8z-ryhn
3
vulnerability VCID-yhat-ry32-fqf5
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@10.0.0
1
url pkg:nuget/Umbraco.CMS@13.0.0
purl pkg:nuget/Umbraco.CMS@13.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-e5g9-xgrk-eqaf
1
vulnerability VCID-yhat-ry32-fqf5
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Umbraco.CMS@13.0.0
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-49147
reference_id
reference_type
scores
0
value 0.00237
scoring_system epss
scoring_elements 0.46969
published_at 2026-06-05T12:55:00Z
1
value 0.00237
scoring_system epss
scoring_elements 0.46954
published_at 2026-06-07T12:55:00Z
2
value 0.00237
scoring_system epss
scoring_elements 0.46972
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-49147
1
reference_url https://github.com/umbraco/Umbraco-CMS
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/umbraco/Umbraco-CMS
2
reference_url https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/
url https://github.com/umbraco/Umbraco-CMS/commit/b4144564c836ec6929111ce2a12eb1f67b42d61e
3
reference_url https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/
url https://github.com/umbraco/Umbraco-CMS/commit/d8f68d2c40f8e158bd81d469f25ef3a4e1d86c4c
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49147
reference_id CVE-2025-49147
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49147
5
reference_url https://github.com/advisories/GHSA-pgvc-6h2p-q4f6
reference_id GHSA-pgvc-6h2p-q4f6
reference_type
scores
url https://github.com/advisories/GHSA-pgvc-6h2p-q4f6
6
reference_url https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6
reference_id GHSA-pgvc-6h2p-q4f6
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-24T18:08:37Z/
url https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-pgvc-6h2p-q4f6
Weaknesses
0
cwe_id 497
name Exposure of Sensitive System Information to an Unauthorized Control Sphere
description The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-yhat-ry32-fqf5