CVE-2023-49278 – umbraco.cms

Package

Manager: nuget
Name: umbraco.cms
Vulnerable Version: >=8.0.0 <8.18.10 || >=9.0.0 <10.8.1 || >=11.0.0 <12.3.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00315 pctl0.53972

Details

Brute force exploit can be used to collect valid usernames #### Impact A brute force exploit that can be used to collect valid usernames is possible. #### Explanation of the vulnerability It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice. If the username/email is known, it is easier to find the corresponding password. If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer. If the email address does not exist in the database of the registered users, the server would respond immediately.

Metadata

Created: 2023-12-13T13:27:06Z
Modified: 2024-01-12T16:27:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-7x74-h8cw-qhxq/GHSA-7x74-h8cw-qhxq.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-7x74-h8cw-qhxq
Finding: F038
Auto approve: 1