CVE-2023-49274: Umbraco CMS SMTP misconfiguration exposes potential registered user email
First published: Tue Dec 12 2023(Updated: )
#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerability Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/Umbraco.CMS | >=11.0.0<12.3.4 | 12.3.4 |
| nuget/Umbraco.CMS | >=9.0.0<10.8.1 | 10.8.1 |
| nuget/Umbraco.CMS | >=8.0.0<8.18.10 | 8.18.10 |
| Umbraco CMS | >=8.0.0<8.18.10 | |
| Umbraco CMS | >=10.0.0<10.8.1 | |
| Umbraco CMS | >=12.0.0<12.3.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8qp8-9rpw-j46c
- alias/CVE-2023-49274
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/event
- collector/github-advisory
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/nuget
- vendor/umbraco
- canonical/umbraco cms
- version/umbraco cms/8.0.0
- version/umbraco cms/10.0.0
- version/umbraco cms/12.0.0