medium
5.3
CWE
200 307
Advisory Published
Advisory Published
Updated

CVE-2023-49278: Umbraco CMS brute force exploit can be used to collect valid usernames

First published: Tue Dec 12 2023(Updated: )

#### Impact A brute force exploit that can be used to collect valid usernames is possible. #### Explanation of the vulnerability It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice. If the username/email is known, it is easier to find the corresponding password. If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer. If the email address does not exist in the database of the registered users, the server would respond immediately.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
nuget/Umbraco.CMS>=11.0.0<12.3.4
12.3.4
nuget/Umbraco.CMS>=9.0.0<10.8.1
10.8.1
nuget/Umbraco.CMS>=8.0.0<8.18.10
8.18.10
Umbraco CMS>=8.0.0<8.18.10
Umbraco CMS>=10.0.0<10.8.1
Umbraco CMS>=12.0.0<12.3.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-49278?

    CVE-2023-49278 is classified as a moderate severity vulnerability due to the potential for brute force attacks to reveal valid usernames.

  • How do I fix CVE-2023-49278?

    To fix CVE-2023-49278, upgrade Umbraco CMS to version 12.3.4, 10.8.1, or 8.18.10 or later.

  • What versions of Umbraco CMS are affected by CVE-2023-49278?

    CVE-2023-49278 affects Umbraco CMS versions between 8.0.0 and 8.18.10, between 9.0.0 and 10.8.1, and between 12.0.0 and 12.3.4.

  • Can CVE-2023-49278 be exploited remotely?

    Yes, CVE-2023-49278 can be exploited remotely through the 'forgot password' function in the Backoffice login.

  • What impact does CVE-2023-49278 have on security?

    CVE-2023-49278 allows attackers to potentially collect valid usernames via brute force attacks, which could lead to further compromise.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203