CVE-2023-49274 – umbraco.cms

Package

Manager: nuget
Name: umbraco.cms
Vulnerable Version: >=8.0.0 <8.18.10 || >=9.0.0 <10.8.1 || >=11.0.0 <12.3.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00368 pctl0.57903

Details

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email. #### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerability Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

Metadata

Created: 2023-12-13T13:26:34Z
Modified: 2024-01-12T16:28:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-8qp8-9rpw-j46c/GHSA-8qp8-9rpw-j46c.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-8qp8-9rpw-j46c
Finding: F038
Auto approve: 1