GHSA-8qp8-9rpw-j46c

Source

https://github.com/advisories/GHSA-8qp8-9rpw-j46c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-8qp8-9rpw-j46c/GHSA-8qp8-9rpw-j46c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8qp8-9rpw-j46c

Aliases

CVE-2023-49274

Published

2023-12-13T13:26:34Z

Modified

2024-02-16T08:08:40.804219Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Details

Impact

A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled

Explanation of the vulnerability

Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

Database specific

{
    "nvd_published_at": "2023-12-12T20:15:07Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T13:26:34Z"
}

References

Affected packages

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.18.10

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

10.8.1

Affected versions

9.*

9.0.0

9.0.1

9.1.0-rc

9.1.0

9.1.1

9.1.2

9.2.0-rc

9.2.0

9.3.0-rc

9.3.0

9.3.1

9.4.0-rc

9.4.0

9.4.1

9.4.2

9.4.3

9.5.0-rc

9.5.0-rc2

9.5.0-rc3

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

10.*

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0-rc4

10.0.0-rc5

10.0.0

10.0.1

10.1.0-rc

10.1.0-rc2

10.1.0

10.1.1

10.2.0-rc

10.2.0

10.2.1

10.3.0-rc

10.3.0

10.3.1

10.3.2

10.4.0-rc

10.4.0

10.4.1

10.4.2

10.5.0-rc

10.5.0

10.5.1

10.6.0-rc

10.6.0

10.6.1

10.7.0-rc

10.7.0

10.8.0-rc

10.8.0

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

12.3.4

Affected versions

11.*

11.0.0

11.1.0-rc

11.1.0

11.2.0-rc

11.2.0

11.2.1

11.2.2

11.3.0-rc

11.3.0

11.3.1

11.4.0-rc

11.4.0

11.4.1

11.4.2

11.5.0-rc

11.5.0

12.*

12.0.0-rc1

12.0.0-rc2

12.0.0-rc3

12.0.0-rc4

12.0.0-rc5

12.0.0

12.0.1

12.1.0-rc

12.1.0

12.1.1

12.1.2

12.2.0-rc

12.2.0

12.3.0-rc

12.3.0

12.3.1

12.3.2

12.3.3