Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03eDc0LWg4Y3ctcWh4cc4AA3uf
Brute force exploit can be used to collect valid usernames
Impact
A brute force exploit that can be used to collect valid usernames is possible.
Explanation of the vulnerability
It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice.
If the username/email is known, it is easier to find the corresponding password.
If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer.
If the email address does not exist in the database of the registered users, the server would respond immediately.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03eDc0LWg4Y3ctcWh4cc4AA3uf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
EPSS Percentage: 0.00063
EPSS Percentile: 0.29529
Identifiers: GHSA-7x74-h8cw-qhxq, CVE-2023-49278
References:
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq
- https://nvd.nist.gov/vuln/detail/CVE-2023-49278
- https://github.com/advisories/GHSA-7x74-h8cw-qhxq
Blast Radius: 1.0
Affected Packages
nuget:Umbraco.CMS
Dependent packages: 46Dependent repositories: 0
Downloads: 2,823,189 total
Affected Version Ranges: >= 11.0.0, < 12.3.4, >= 9.0.0, < 10.8.1, >= 8.0.0, < 8.18.10
Fixed in: 12.3.4, 10.8.1, 8.18.10
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3
All unaffected versions: 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.3.10, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.3.1, 13.3.2, 13.4.0, 13.4.1, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.3.0, 14.3.1, 15.0.0, 15.1.0, 15.1.1