CraftCMS User Enumeration

medium Web App Scanning Plugin ID 113894

Synopsis

CraftCMS User Enumeration

Description

In default CraftCMS installation there is available methodology to enumerate user information. These CraftCMS users may then be used in brute-force attacks against CraftCMS login page to guess passwords.

Solution

Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to '/index.php?p=admin%2Factions%2Fusers%2Fsend-password-reset-email'.

See Also

https://craftcms.com/knowledge-base/securing-craft

Plugin Details

Severity: Medium

ID: 113894

Type: remote

Published: 5/5/2023

Updated: 5/5/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information