CVE-2023-49278

Name of the Vulnerable Software and Affected Versions Umbraco versions 8.0.0 through 8.18.9 Umbraco versions 10.0.0 through 10.8.0 Umbraco versions 12.0.0 through 12.3.3

Description Umbraco is an ASP.NET content management system (CMS) that is affected by a brute force exploit. This exploit can be used to collect valid usernames. The issue is related to the "forgot password" function when trying to log into the Backoffice. If the username or email is known, it is easier to find the corresponding password. The server's internal processing time takes longer if an email address that was already used and registered by a user is provided as an input.

Recommendations For Umbraco versions 8.0.0 through 8.18.9, update to version 8.18.10 or later. For Umbraco versions 10.0.0 through 10.8.0, update to version 10.8.1 or later. For Umbraco versions 12.0.0 through 12.3.3, update to version 12.3.4 or later. As a temporary workaround, consider restricting access to the "forgot password" function in the Backoffice to minimize the risk of exploitation.