Brute force exploit can be used to collect valid usernames

GHSA-7x74-h8cw-qhxq · CVE-2023-49278

Published Dec 13, 2023 · Modified Feb 16, 2024

Description

Impact

A brute force exploit that can be used to collect valid usernames is possible.

Explanation of the vulnerability

It's a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice.
If the username/email is known, it is easier to find the corresponding password.
If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer.
If the email address does not exist in the database of the registered users, the server would respond immediately.

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-49278
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes