{"id":"CVE-2017-12849","details":"Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks.","aliases":["GHSA-fwhr-g5r4-xgxf"],"modified":"2026-03-14T09:24:23.636262Z","published":"2017-10-12T15:29:00.310Z","references":[{"type":"ADVISORY","url":"https://www.silverstripe.org/download/security-releases/ss-2017-005"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/silverstripe/silverstripe-cms","events":[{"introduced":"0"},{"last_affected":"11e2175ec86024ba48f595c484cce4fbc30ce8c7"},{"introduced":"0"},{"last_affected":"08093ea308c13f1f334a01b46d66b720bd86216e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.5.4"},{"introduced":"0"},{"last_affected":"3.6.0"}]}}],"versions":["2.2.0-rc1","2.2.2-rc1","2.3.0-rc1","2.4.0","2.4.0-alpha1","2.4.0-beta1","2.4.0-beta2","2.4.0-rc1","2.4.0-rc2","2.4.0-rc3","2.4.1","2.4.1-rc1","2.4.1-rc2","2.4.10","2.4.2","2.4.2-rc1","2.4.2-rc2","2.4.3","2.4.3-rc1","2.4.3-rc2","2.4.4","2.4.4-rc1","2.4.4-rc2","2.4.5","2.4.5-rc1","2.4.6","2.4.7","2.4.8","2.4.8-rc1","2.4.9","3.0.0","3.0.0-alpha1","3.0.0-alpha2","3.0.0-beta1","3.0.0-beta2","3.0.0-beta3","3.0.0-pr1","3.0.0-rc1","3.0.0-rc2","3.0.0-rc3","3.0.1","3.0.1-rc1","3.0.1-rc2","3.0.1-rc3","3.0.10","3.0.10-rc1","3.0.11","3.0.11-rc1","3.0.2","3.0.2-rc1","3.0.2-rc2","3.0.3","3.0.3-rc1","3.0.3-rc2","3.0.4","3.0.5","3.0.6","3.0.6-rc1","3.0.6-rc2","3.0.7","3.0.8","3.0.9","3.0.9-rc1","3.1.0","3.1.0-beta1","3.1.0-beta2","3.1.0-beta3","3.1.0-rc1","3.1.0-rc3","3.1.1","3.1.10","3.1.10-rc1","3.1.10-rc2","3.1.11","3.1.11-rc1","3.1.12","3.1.13","3.1.13-rc1","3.1.14","3.1.14-rc1","3.1.15","3.1.16","3.1.16-rc1","3.1.17","3.1.17-rc1","3.1.17-rc2","3.1.18","3.1.18-rc1","3.1.18-rc2","3.1.19","3.1.19-rc1","3.1.2","3.1.2-rc1","3.1.20","3.1.20-rc1","3.1.20-rc2","3.1.21","3.1.3","3.1.3-rc1","3.1.3-rc2","3.1.4","3.1.4-rc1","3.1.5","3.1.5-rc1","3.1.6","3.1.6-rc1","3.1.6-rc2","3.1.6-rc3","3.1.7","3.1.7-rc1","3.1.8","3.1.9","3.1.9-rc1","3.2.0","3.2.0-beta1","3.2.0-beta2","3.2.0-rc1","3.2.0-rc2","3.2.1","3.2.1-rc1","3.2.1-rc2","3.2.2","3.2.2-rc1","3.2.2-rc2","3.2.3","3.2.3-rc1","3.2.3-rc2","3.2.4","3.2.4-rc1","3.2.5","3.2.5-rc1","3.2.5-rc2","3.2.6","3.3.0","3.3.0-beta1","3.3.0-rc1","3.3.0-rc2","3.3.0-rc3","3.3.1","3.3.1-rc1","3.3.1-rc2","3.3.2","3.3.2-rc1","3.3.3","3.3.3-rc1","3.3.3-rc2","3.3.4","3.4.0","3.4.0-rc1","3.4.1","3.4.1-rc1","3.4.1-rc2","3.4.2","3.4.3","3.4.3-rc1","3.4.4","3.4.4-rc1","3.4.5","3.4.5-rc1","3.4.6","3.4.6-rc1","3.4.6-rc2","3.5.0","3.5.0-rc1","3.5.0-rc2","3.5.0-rc3","3.5.1","3.5.1-rc1","3.5.1-rc2","3.5.2","3.5.2-rc1","3.5.3","3.5.3-rc1","3.5.4","3.5.4-rc1","HamishsTesta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12849.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}