CVE-2017-12849: Exposure of Sensitive Information to an Unauthorized Actor

May 17, 2022 (updated July 26, 2023)

Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.

References

github.com/advisories/GHSA-fwhr-g5r4-xgxf
nvd.nist.gov/vuln/detail/CVE-2017-12849
www.silverstripe.org/download/security-releases/ss-2017-005

Detect and mitigate CVE-2017-12849 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →