CVE-2023-49278

Umbraco CMS brute force exploit can be used to collect valid usernames

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.

Umbraco es un sistema de gestión de contenidos (CMS) ASP.NET. A partir de la versión 8.0.0 y anteriores a las versiones 8.18.10, 10.8.1 y 12.3.4, se puede utilizar un exploit de fuerza bruta para recopilar nombres de usuario válidos. Las versiones 8.18.10, 10.8.1 y 12.3.4 contienen un parche para este problema.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-24 CVE Reserved
2023-12-12 CVE Published
2024-10-08 CVE Updated
2024-11-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-307: Improper Restriction of Excessive Authentication Attempts

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-7x74-h8cw-qhxq	2023-12-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Umbraco Search vendor "Umbraco"		Umbraco Cms Search vendor "Umbraco" for product "Umbraco Cms"				>= 8.0.0 < 8.18.10 Search vendor "Umbraco" for product "Umbraco Cms" and version " >= 8.0.0 < 8.18.10"		-		Affected
Umbraco Search vendor "Umbraco"		Umbraco Cms Search vendor "Umbraco" for product "Umbraco Cms"				>= 10.0.0 < 10.8.1 Search vendor "Umbraco" for product "Umbraco Cms" and version " >= 10.0.0 < 10.8.1"		-		Affected
Umbraco Search vendor "Umbraco"		Umbraco Cms Search vendor "Umbraco" for product "Umbraco Cms"				>= 12.0.0 < 12.3.4 Search vendor "Umbraco" for product "Umbraco Cms" and version " >= 12.0.0 < 12.3.4"		-		Affected