CVE-2023-49278: Umbraco CMS brute force exploit can be used to collect valid usernames
First published: Tue Dec 12 2023(Updated: )
#### Impact A brute force exploit that can be used to collect valid usernames is possible. #### Explanation of the vulnerability It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice. If the username/email is known, it is easier to find the corresponding password. If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer. If the email address does not exist in the database of the registered users, the server would respond immediately.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| nuget/Umbraco.CMS | >=11.0.0<12.3.4 | 12.3.4 |
| nuget/Umbraco.CMS | >=9.0.0<10.8.1 | 10.8.1 |
| nuget/Umbraco.CMS | >=8.0.0<8.18.10 | 8.18.10 |
| Umbraco Umbraco Cms | >=8.0.0<8.18.10 | |
| Umbraco Umbraco Cms | >=10.0.0<10.8.1 | |
| Umbraco Umbraco Cms | >=12.0.0<12.3.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/mitre-cve
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7x74-h8cw-qhxq
- alias/CVE-2023-49278
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/title
- agent/description
- agent/tags
- agent/event
- collector/github-advisory
- vendor/umbraco
- canonical/umbraco umbraco cms
- version/umbraco umbraco cms/8.0.0
- version/umbraco umbraco cms/10.0.0
- version/umbraco umbraco cms/12.0.0
- package-manager/nuget