SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

GHSA-8qp8-9rpw-j46c · CVE-2023-49274

Published Dec 13, 2023 · Modified Feb 16, 2024

Description

Impact

A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled

Explanation of the vulnerability

Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-49274
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes