CVE-2017-12849 — Sensitive Information Exposure in CMS

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 54.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Silverstripe CMS Silverstripe

Timeline

PublishedOct 12

Latest updateMay 17

Description

Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶Packagistsilverstripe/cms3.6 — 3.6.1+1

▶NVDsilverstripe/silverstripe3.5.4+1

🔴Vulnerability Details

GHSA

Silverstripe CMS User Enumeration↗2022-05-17

▶

OSV

Silverstripe CMS User Enumeration↗2022-05-17

▶