CVE-2017-12849 – silverstripe/cms

Package

Manager: composer
Name: silverstripe/cms
Vulnerable Version: >=0 <3.5.5 || >=3.6 <3.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0023 pctl0.45765

Details

Silverstripe CMS User Enumeration Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.

Metadata

Created: 2022-05-17T00:28:41Z
Modified: 2023-07-26T23:10:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fwhr-g5r4-xgxf/GHSA-fwhr-g5r4-xgxf.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-fwhr-g5r4-xgxf
Finding: F038
Auto approve: 1