CVE-2025-27602
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
Severity Score
4.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folders the editor does not have access to. The issue is patched in versions 10.8.9 and 13.7.1. No known workarounds are available.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-03-03 CVE Reserved
- 2025-03-11 CVE Published
- 2025-03-11 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-285: Improper Authorization
- CWE-863: Incorrect Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/umbraco/Umbraco-CMS/commit/5b54bed406682ceff57903bf7d3c57814eef31a7 | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/commit/7888b9a4ce5ae7f9bda7ff3bb705b8fcd2f1675d | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Umbraco Search vendor "Umbraco" | Umbraco-CMS Search vendor "Umbraco" for product "Umbraco-CMS" | < 10.8.9 Search vendor "Umbraco" for product "Umbraco-CMS" and version " < 10.8.9" | en |
Affected
| ||||||
| Umbraco Search vendor "Umbraco" | Umbraco-CMS Search vendor "Umbraco" for product "Umbraco-CMS" | >= 11.0.0 < 13.7.1 Search vendor "Umbraco" for product "Umbraco-CMS" and version " >= 11.0.0 < 13.7.1" | en |
Affected
| ||||||