Skip to content

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Low severity GitHub Reviewed Published Dec 12, 2023 in umbraco/Umbraco-CMS • Updated Jan 12, 2024

Package

nuget Umbraco.CMS (NuGet)

Affected versions

>= 8.0.0, < 8.18.10
>= 9.0.0, < 10.8.1
>= 11.0.0, < 12.3.4

Patched versions

8.18.10
10.8.1
12.3.4

Description

Impact

A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled

Explanation of the vulnerability

Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

References

@bergmania bergmania published to umbraco/Umbraco-CMS Dec 12, 2023
Published by the National Vulnerability Database Dec 12, 2023
Published to the GitHub Advisory Database Dec 13, 2023
Reviewed Dec 13, 2023
Last updated Jan 12, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2023-49274

GHSA ID

GHSA-8qp8-9rpw-j46c

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.