CVE-2023-49274

Name of the Vulnerable Software and Affected Versions Umbraco versions 8.0.0 through 8.18.9 Umbraco versions 10.0.0 through 10.8.0 Umbraco versions 12.0.0 through 12.3.3

Description A user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. This issue arises due to different error messages being shown based on whether the user exists or not when using the forgot password functionality. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Umbraco versions 8.0.0 through 8.18.9, update to version 8.18.10 or later. For Umbraco versions 10.0.0 through 10.8.0, update to version 10.8.1 or later. For Umbraco versions 12.0.0 through 12.3.3, update to version 12.3.4 or later. As a temporary workaround, consider disabling the reset password feature until a patch is available. Restrict access to the forgot password functionality to minimize the risk of exploitation. Avoid using the forgot password feature with incorrectly configured SMTP settings until the issue is resolved.