CVE-2023-49274

LOW3.7EPSS 0.37%

SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

Published: 12/13/2023Modified: 2/16/2024

Description

#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerability Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.

Affected packages (1)

NuGet/Umbraco.CMS>= 8.0.0, < 8.18.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-49274
PATCHhttps://github.com/umbraco/Umbraco-CMS
WEBhttps://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-8qp8-9rpw-j46c