Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2025-001 User enumeration via timing attack

SS-2025-001 User enumeration via timing attack

Severity:
Medium (?)
Identifier:
SS-2025-001
Versions Affected:
silverstripe/framework: <5.3.23
Versions Fixed:
silverstripe/framework: 5.3.23
Release Date:
2025-04-10

User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.

This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+

Base CVSS: 5.3