Cyber Posture

CVE-2024-11625

High

Published: 07 January 2025

Published
07 January 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0009 24.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11625 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Progress Sitefinity. Its CVSS base score is 7.7 (High).

Operationally, ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-11 Error Handling good match
prevent

Directly addresses the CVE by requiring error handling that prevents disclosure of sensitive information through error messages.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific flaw in Sitefinity that exposes sensitive data via error messages.

SI-15 Information Output Filtering good match
prevent

Filters system outputs, including error messages, to prevent unauthorized exposure of sensitive information to unauthenticated attackers.

NVD Description

Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.

Deeper analysisAI

CVE-2024-11625 is an Information Exposure Through an Error Message vulnerability (CWE-209) in Progress Software Corporation's Sitefinity content management system. It affects Sitefinity versions from 4.0 through 14.4.8142, 15.0.8200 through 15.0.8229, 15.1.8300 through 15.1.8327, and 15.2.8400 through 15.2.8421. The vulnerability has a CVSS v3.1 base score of 7.7 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L, indicating network accessibility, high attack complexity, no privileges or user interaction required, and impacts of high confidentiality and integrity loss alongside low availability disruption.

Unauthenticated remote attackers can exploit this vulnerability over the network by triggering specific error conditions that disclose sensitive information through error messages. Successful exploitation enables high confidentiality impact by exposing potentially sensitive data, high integrity impact through possible manipulation enabled by the leaked information, and low availability impact, though it requires sophisticated techniques due to the high complexity rating.

Progress Software has issued a security advisory detailing mitigation for CVE-2024-11625, available at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025. Additional resources on Sitefinity are at https://www.progress.com/sitefinity-cms. Security practitioners should review the advisory for patching instructions and apply updates to affected versions promptly.

Details

CWE(s)
CWE-209

Affected Products

progress
sitefinity
4.0 — 14.4.8143 · 15.0.8200 — 15.0.8230 · 15.1.8300 — 15.1.8328

CVEs Like This One

CVE-2024-11627Same product: Progress Sitefinity
CVE-2024-11626Same product: Progress Sitefinity
CVE-2025-0556Same vendor: Progress
CVE-2025-2324Same vendor: Progress
CVE-2026-2699Same vendor: Progress
CVE-2024-56133Same vendor: Progress
CVE-2026-4670Same vendor: Progress
CVE-2025-13447Same vendor: Progress
CVE-2024-56132Same vendor: Progress
CVE-2024-56135Same vendor: Progress

References