CVE-2023-49278: 
C# vulnerability analysis and mitigation

Umbraco, an ASP.NET content management system (CMS), was found to contain a vulnerability starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, where a brute force exploit could be used to collect valid usernames (NVD, GitHub Advisory). The vulnerability was disclosed on December 12, 2023.

The vulnerability exploits the 'forgot password' function in the Backoffice login system. The attack works by analyzing server response times: when an email address that exists in the database is provided, the server processing time is longer compared to when a non-existent email is used, which receives an immediate response. This timing difference allows attackers to enumerate valid usernames. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of valid usernames in the system. Once an attacker has identified valid usernames, it becomes easier to conduct targeted password attacks, as half of the authentication pair is already known. This information disclosure could serve as a stepping stone for more sophisticated attacks against the CMS (GitHub Advisory).

The vulnerability has been patched in Umbraco versions 8.18.10, 10.8.1, and 12.3.4. Users are advised to upgrade to these or later versions to protect against this vulnerability (GitHub Advisory).