12/12/2023
13/12/2023
12/1/2024
CVE-2023-49278: Umbraco CMS brute force exploit can be used to collect valid usernames
First published: Tue Dec 12 2023(Updated: )
#### Impact
A brute force exploit that can be used to collect valid usernames is possible.
#### Explanation of the vulnerability
It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice.
If the username/email is known, it is easier to find the corresponding password.
If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer.
If the email address does not exist in the database of the registered users, the server would respond immediately.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|
nuget/Umbraco.CMS | >=11.0.0<12.3.4 | 12.3.4 |
nuget/Umbraco.CMS | >=9.0.0<10.8.1 | 10.8.1 |
nuget/Umbraco.CMS | >=8.0.0<8.18.10 | 8.18.10 |
Umbraco Umbraco Cms | >=8.0.0<8.18.10 | |
Umbraco Umbraco Cms | >=10.0.0<10.8.1 | |
Umbraco Umbraco Cms | >=12.0.0<12.3.4 | |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- collector/mitre-cve
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7x74-h8cw-qhxq
- alias/CVE-2023-49278
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/title
- agent/description
- agent/tags
- agent/event
- collector/github-advisory
- vendor/umbraco
- canonical/umbraco umbraco cms
- version/umbraco umbraco cms/8.0.0
- version/umbraco umbraco cms/10.0.0
- version/umbraco umbraco cms/12.0.0
- package-manager/nuget
Contact
SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.coBy using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203