Moderate severityNVD Advisory· Published Aug 20, 2024· Updated Aug 20, 2024

Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

CVE-2024-43376

Description

Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Umbraco.Cms.Api.ManagementNuGet	>= 14.0.0, < 14.1.2	14.1.2

Affected products

Umbraco/Umbraco CMSv5
Range: >= 14.0.0, < 14.1.2

Patches

b76070c79492

Merge commit from fork

https://github.com/umbraco/Umbraco-CMSBjarke BergAug 19, 2024via ghsa

commit

2 files changed · +14 −9

src/Umbraco.Cms.Api.Management/DependencyInjection/ApplicationBuilderExtensions.cs+4 −3 modified

@@ -33,6 +33,7 @@ internal static IApplicationBuilder UseProblemDetailsExceptionHandling(this IApp
             {
                 innerBuilder.UseExceptionHandler(exceptionBuilder => exceptionBuilder.Run(async context =>
                 {
+                    var isDebug = context.RequestServices.GetRequiredService<IHostingEnvironment>().IsDebugMode;
                     Exception? exception = context.Features.Get<IExceptionHandlerPathFeature>()?.Error;
                     if (exception is null)
                     {
@@ -42,16 +43,16 @@ internal static IApplicationBuilder UseProblemDetailsExceptionHandling(this IApp
                     var response = new ProblemDetails
                     {
                         Title = exception.Message,
-                        Detail = exception.StackTrace,
+                        Detail = isDebug ? exception.StackTrace : null,
                         Status = StatusCodes.Status500InternalServerError,
-                        Instance = exception.GetType().Name,
+                        Instance = isDebug ? exception.GetType().Name : null,
                         Type = "Error"
                     };
                     await context.Response.WriteAsJsonAsync(response);
                 }));
             });
 
-    internal static IApplicationBuilder UseEndpoints(this IApplicationBuilder applicationBuilder)
+internal static IApplicationBuilder UseEndpoints(this IApplicationBuilder applicationBuilder)
     {
         IServiceProvider provider = applicationBuilder.ApplicationServices;

src/Umbraco.Web.Common/AspNetCore/AspNetCoreHostingEnvironment.cs+10 −6 modified

@@ -43,14 +43,14 @@ public AspNetCoreHostingEnvironment(
         _webHostEnvironment = webHostEnvironment ?? throw new ArgumentNullException(nameof(webHostEnvironment));
         _urlProviderMode = _webRoutingSettings.CurrentValue.UrlProviderMode;
 
-        SetSiteName(hostingSettings.CurrentValue.SiteName);
+        SetSiteNameAndDebugMode(hostingSettings.CurrentValue);
 
         // We have to ensure that the OptionsMonitor is an actual options monitor since we have a hack
         // where we initially use an OptionsMonitorAdapter, which doesn't implement OnChange.
         // See summery of OptionsMonitorAdapter for more information.
         if (hostingSettings is OptionsMonitor<HostingSettings>)
         {
-            hostingSettings.OnChange(settings => SetSiteName(settings.SiteName));
+            hostingSettings.OnChange(settings => SetSiteNameAndDebugMode(settings));
         }
 
         ApplicationPhysicalPath = webHostEnvironment.ContentRootPath;
@@ -95,7 +95,7 @@ public string ApplicationId
         _hostingSettings.CurrentValue.ApplicationVirtualPath?.EnsureStartsWith('/') ?? "/";
 
     /// <inheritdoc />
-    public bool IsDebugMode => _hostingSettings.CurrentValue.Debug;
+    public bool IsDebugMode { get; private set; }
 
     public string LocalTempPath
     {
@@ -188,8 +188,12 @@ public void EnsureApplicationMainUrl(Uri? currentApplicationUrl)
         }
     }
 
-    private void SetSiteName(string? siteName) =>
-        SiteName = string.IsNullOrWhiteSpace(siteName)
+    private void SetSiteNameAndDebugMode(HostingSettings hostingSettings)
+    {
+        SiteName = string.IsNullOrWhiteSpace(hostingSettings.SiteName)
             ? _webHostEnvironment.ApplicationName
-            : siteName;
+            : hostingSettings.SiteName;
+
+        IsDebugMode = hostingSettings.Debug;
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-77gj-crhp-3gvxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-43376ghsaADVISORY
github.com/umbraco/Umbraco-CMS/commit/b76070c794925932cb159ef50b851db6e966a004ghsax_refsource_MISCWEB
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-77gj-crhp-3gvxghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000