GHSA-7x74-h8cw-qhxq

Suggest an improvement
Source
https://github.com/advisories/GHSA-7x74-h8cw-qhxq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-7x74-h8cw-qhxq/GHSA-7x74-h8cw-qhxq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7x74-h8cw-qhxq
Aliases
Published
2023-12-13T13:27:06Z
Modified
2024-02-16T08:13:38.433088Z
Severity
  • 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator
Summary
Brute force exploit can be used to collect valid usernames
Details

Impact

A brute force exploit that can be used to collect valid usernames is possible.

Explanation of the vulnerability

It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice. If the username/email is known, it is easier to find the corresponding password. If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer. If the email address does not exist in the database of the registered users, the server would respond immediately.

References

Affected packages

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.18.10

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0
Fixed
10.8.1

Affected versions

9.*

9.0.0
9.0.1
9.1.0-rc
9.1.0
9.1.1
9.1.2
9.2.0-rc
9.2.0
9.3.0-rc
9.3.0
9.3.1
9.4.0-rc
9.4.0
9.4.1
9.4.2
9.4.3
9.5.0-rc
9.5.0-rc2
9.5.0-rc3
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4

10.*

10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0-rc4
10.0.0-rc5
10.0.0
10.0.1
10.1.0-rc
10.1.0-rc2
10.1.0
10.1.1
10.2.0-rc
10.2.0
10.2.1
10.3.0-rc
10.3.0
10.3.1
10.3.2
10.4.0-rc
10.4.0
10.4.1
10.4.2
10.5.0-rc
10.5.0
10.5.1
10.6.0-rc
10.6.0
10.6.1
10.7.0-rc
10.7.0
10.8.0-rc
10.8.0

NuGet / Umbraco.CMS

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
12.3.4

Affected versions

11.*

11.0.0
11.1.0-rc
11.1.0
11.2.0-rc
11.2.0
11.2.1
11.2.2
11.3.0-rc
11.3.0
11.3.1
11.4.0-rc
11.4.0
11.4.1
11.4.2
11.5.0-rc
11.5.0

12.*

12.0.0-rc1
12.0.0-rc2
12.0.0-rc3
12.0.0-rc4
12.0.0-rc5
12.0.0
12.0.1
12.1.0-rc
12.1.0
12.1.1
12.1.2
12.2.0-rc
12.2.0
12.3.0-rc
12.3.0
12.3.1
12.3.2
12.3.3