VYPR
Moderate severityNVD Advisory· Published Mar 11, 2025· Updated Mar 11, 2025

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

CVE-2025-27601

Description

Umbraco is a free and open source .NET content management system. An improper API access control issue has been identified Umbraco's API management package prior to versions 15.2.3 and 14.3.3, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. The issue is patched in versions 15.2.3 and 14.3.3. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Umbraco.Cms.Api.ManagementNuGet
>= 15.0.0-rc1, < 15.2.315.2.3
Umbraco.Cms.Api.ManagementNuGet
< 14.3.314.3.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.