SCA: security update for Umbraco.Cms (GHSA-pgvc-6h2p-q4f6)

medium Tenable Cloud Security Plugin ID 437174

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0
through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's
possible to retrieve information about the configured password requirements. The information available is
limited but would perhaps give some additional detail useful for someone attempting to brute force derive
a user's password. This information was not exposed in Umbraco 7 or 8, nor in 14 or higher versions. The
vulnerability is patched in versions 10.8.11 and 13.9.2. (CVE-2025-49147)

See Also

https://github.com/advisories/GHSA-pgvc-6h2p-q4f6

Plugin Details

Severity: Medium

ID: 437174

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-49147

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/24/2025

Vulnerability Publication Date: 6/24/2025

Reference Information

CVE: CVE-2025-49147

cwe: CWE-497