SS-2017-005: User enumeration via timing attack on login and password reset forms
- Severity:
- Medium (?)
- Identifier:
- SS-2017-005
- Versions Affected:
- 3.5.4 and below to 3.6.1
- Versions Fixed:
- 3.5.5, 3.6.2
- Release Date:
- 2017-09-28
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
Credit to Daniel Hensby (SilverStripe) andĀ Erez Yalon (Checkmarx)
