Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04cXA4LTlycHctajQ2Y84AA3ue

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Impact

A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled

Explanation of the vulnerability

Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

Permalink: https://github.com/advisories/GHSA-8qp8-9rpw-j46c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cXA4LTlycHctajQ2Y84AA3ue
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-8qp8-9rpw-j46c, CVE-2023-49274
References:

Repository: https://github.com/umbraco/Umbraco-CMS
Blast Radius: 1.0

Affected Packages

nuget:Umbraco.CMS

Dependent packages: 0
Dependent repositories: 0
Downloads: 1,856,006 total
Affected Version Ranges: >= 11.0.0, < 12.3.4, >= 9.0.0, < 10.8.1, >= 8.0.0, < 8.18.10
Fixed in: 12.3.4, 10.8.1, 8.18.10
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3
All unaffected versions: 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0