Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2017-002: Member disclosure in login form

Severity:
Low (?)
Identifier:
SS-2017-002
Versions Affected:
3.4.5 and below, 3.5.0 to 3.5.3
Versions Fixed:
3.4.6, 3.5.4, 3.6.0
Release Date:
2017-05-31

There is a user ID enumeration vulnerability in our brute force error messages.

This means an attacker can infer or confirm user details that exist in the member table.

This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.