CVE-2023-49274
SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.
3.7
LOW
CVSS 3.1
EPSS 0.37%
Description
#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerability Two different error messages was shown, based on if the user exists or not when using the forgot password functionality, when the SMTP was configured but do not response.
How to fix CVE-2023-49274
To remediate CVE-2023-49274, upgrade the affected package to a fixed version below.
- —upgrade to 8.18.10 or later
Is CVE-2023-49274 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 8.0.0, < 8.18.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |