5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.0005 Low
EPSS
Percentile
17.0%
A brute force exploit that can be used to collect valid usernames is possible.
It’s a brute force exploit that can be used to collect valid usernames by using the “forgot password” function when trying to log into the Backoffice.
If the username/email is known, it is easier to find the corresponding password.
If an email address that was already used and registered by a user, is provided as an input, the server internal processing time takes longer.
If the email address does not exist in the database of the registered users, the server would respond immediately.
CPE | Name | Operator | Version |
---|---|---|---|
umbraco.cms | ge | 11.0.0 | |
umbraco.cms | lt | 12.3.4 | |
umbraco.cms | ge | 9.0.0 | |
umbraco.cms | lt | 10.8.1 | |
umbraco.cms | lt | 8.18.10 |