Description
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- umbraco / Umbraco-CMS>= 8.0.0, < 8.18.10 – >= 8.0.0, < 8.18.10
- umbraco / Umbraco-CMS>= 9.0.0-rc001, < 10.8.1 – >= 9.0.0-rc001, < 10.8.1
- umbraco / Umbraco-CMS>= 11.0.0-rc1, < 12.3.4 – >= 11.0.0-rc1, < 12.3.4