Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cXA4LTlycHctajQ2Y84AA3ue
SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.
Impact
A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled
Explanation of the vulnerability
Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.
Permalink: https://github.com/advisories/GHSA-8qp8-9rpw-j46cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cXA4LTlycHctajQ2Y84AA3ue
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 10 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-8qp8-9rpw-j46c, CVE-2023-49274
References:
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c
- https://nvd.nist.gov/vuln/detail/CVE-2023-49274
- https://github.com/advisories/GHSA-8qp8-9rpw-j46c
Blast Radius: 1.0
Affected Packages
nuget:Umbraco.CMS
Dependent packages: 46Dependent repositories: 0
Downloads: 2,607,547 total
Affected Version Ranges: >= 11.0.0, < 12.3.4, >= 9.0.0, < 10.8.1, >= 8.0.0, < 8.18.10
Fixed in: 12.3.4, 10.8.1, 8.18.10
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.4.0, 10.4.1, 10.4.2, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.4.0, 11.4.1, 11.4.2, 11.5.0, 12.0.0, 12.0.1, 12.1.0, 12.1.1, 12.1.2, 12.2.0, 12.3.0, 12.3.1, 12.3.2, 12.3.3
All unaffected versions: 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.8.6, 10.8.7, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.3.10, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.2.2, 13.3.0, 13.3.1, 13.3.2, 13.4.0, 13.4.1, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.3.0, 14.3.1, 15.0.0