CVE-2017-12849
published 2017-10-12CVE-2017-12849: Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users…
PriorityP429medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
EPSS
1.11%
61.8th percentile
Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | cms | >= 0 < 3.5.5 | 3.5.5 |
| silverstripe | cms | >= 3.6 < 3.6.1 | 3.6.1 |
| silverstripe | silverstripe | <= 3.5.4 | — |
| silverstripe | silverstripe | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Silverstripe CMS User Enumeration
ghsa·2022-05-17
CVE-2017-12849 [MEDIUM] CWE-200 Silverstripe CMS User Enumeration
Silverstripe CMS User Enumeration
Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.
OSV
Silverstripe CMS User Enumeration
osv·2022-05-17
CVE-2017-12849 [MEDIUM] Silverstripe CMS User Enumeration
Silverstripe CMS User Enumeration
Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-10-12
Published