If your organization uses Optimizely CMS 11, it’s a good idea to update to the most recent version.
The EPiServer.CMS.UI package, a core component of Optimizely CMS 11, has been identified to contain a high-severity security vulnerability. This flaw is linked to the Microsoft.AspNet.Identity.Owin package, which is utilized within the CMS for identity management.
Issue Detail:
There is a vulnerability in ASP.NET Core applications where the account lockout after maximum failed attempts may not update immediately. This flaw allows attackers to make additional password attempts beyond the lockout threshold.
Immediate Action Required:
Optimizely has patched this vulnerability in the latest release of the EPiServer.CMS.UI package. To protect your systems, please upgrade to this latest version without delay.
More details about the issue can be found here, and the release notes containing the fix can be found here.