CVE-2017-12849

MEDIUM

SilverStripe CMS < 3.5.5 and 3.6.x < 3.6.1 - User Enumeration via Login Timing Attack

Title source: llm
STIX 2.1

Description

Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.

References (1)

Core 1
Core References

Scores

CVSS v3 5.3
EPSS 0.0111
EPSS Percentile 61.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (3)
silverstripe/cms 0 - 3.5.5Packagist
silverstripe/silverstripe 3.6.0
silverstripe/silverstripe < 3.5.4
Published Oct 12, 2017
Tracked Since Feb 18, 2026