Low severityNVD Advisory· Published Mar 20, 2024· Updated Aug 2, 2024

Umbraco possible user enumeration vulnerability

CVE-2024-28868

Description

Umbraco is an ASP.NET content management system. Umbraco 10 prior to 10.8.4 with access to the native login screen is vulnerable to a possible user enumeration attack. This issue was fixed in version 10.8.5. As a workaround, one may disable the native login screen by exclusively using external logins.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
UmbracoCMSNuGet	>= 10.0.0, < 10.8.5	10.8.5

Affected products

Umbraco/Umbraco CMSv5
Range: >= 10.0.0, < 10.8.5

Patches

7e1d1a196800

Merge pull request from GHSA-552f-97wf-pmpq

https://github.com/umbraco/Umbraco-CMSJeyMar 18, 2024via ghsa

commit

1 file changed · +4 −4

src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs+4 −4 modified

@@ -134,8 +134,8 @@ public async Task<IdentityResult> ValidatePasswordAsync(string? password)
     /// <inheritdoc />
     public override async Task<bool> CheckPasswordAsync(TUser user, string? password)
     {
-        // we cannot proceed if the user passed in does not have an identity
-        if (user.HasIdentity == false)
+        // we cannot proceed if the user passed in does not have an identity, or if no password is provided.
+        if (user.HasIdentity == false || password is null)
         {
             return false;
         }
@@ -252,7 +252,7 @@ public override async Task<IdentityResult> AccessFailedAsync(TUser user)
     public async Task<bool> ValidateCredentialsAsync(string username, string password)
     {
         TUser user = await FindByNameAsync(username);
-        
+
         if (user == null)
         {
             return false;
@@ -263,7 +263,7 @@ public async Task<bool> ValidateCredentialsAsync(string username, string passwor
             throw new NotSupportedException("The current user store does not implement " +
                                             typeof(IUserPasswordStore<>));
         }
-        
+
         var result = await VerifyPasswordAsync(userPasswordStore, user, password);
 
         return result == PasswordVerificationResult.Success || result == PasswordVerificationResult.SuccessRehashNeeded;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-552f-97wf-pmpqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-28868ghsaADVISORY
github.com/umbraco/Umbraco-CMS/commit/7e1d1a1968000226cd882fff078b122b8d46c44dghsax_refsource_MISCWEB
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-552f-97wf-pmpqghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000