Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2017-005: User enumeration via timing attack on login and password reset forms

Severity:
Moderate (?)
Identifier:
SS-2017-005
Versions Affected:
3.5.4 and below to 3.6.1
Versions Fixed:
3.5.5, 3.6.2
Release Date:
2017-09-28

User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.

Credit to Daniel Hensby (SilverStripe) andĀ Erez Yalon (Checkmarx)