Umbraco possible user enumeration · CVE-2024-28868 · GitHub Advisory Database · GitHub

Umbraco possible user enumeration

Low severity GitHub Reviewed Published Mar 20, 2024 in umbraco/Umbraco-CMS • Updated Apr 12, 2024

Package

UmbracoCMS (NuGet)

Affected versions

>= 10.0.0, < 10.8.5

Patched versions

10.8.5

Description

Impact

A user enumeration attack is possible.

Affected versions

Umbraco 10 with access to the native login screen

Patches

This is fixed in 10.8.5

Workarounds

Disabling the native login screen, by exclusively use external logins.

References

bergmania published to umbraco/Umbraco-CMS

Mar 20, 2024

Published to the GitHub Advisory Database Mar 20, 2024

Reviewed Mar 20, 2024

Published by the National Vulnerability Database

Mar 20, 2024

Last updated Apr 12, 2024

Severity

Low

3.7

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N