| Titel | GitHub OpnForm 1.9.3 Account Enumeration on Password Recovery |
|---|
| Beschreibung | Title: Account Enumeration Allowed on /api/password/email Endpoint
Description: Account enumeration is possible due to observable messages in the forgotten password functionality. Three distinct messages are provided to the unauthenticated user, two of which signify that the account exists.
The vendor has aligned this with Laravel issue #46465, thus no mitigation action was taken.
Please see the attached Google Doc link for more information under 9. Account Enumeration Allowed on /api/password/email Endpoint and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A
Laravel Issue: https://github.com/laravel/framework/issues/46465 |
|---|
| Quelle | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp |
|---|
| Benutzer | balejin (UID 89385) |
|---|
| Einreichung | 01.10.2025 21:15 (vor 9 Monaten) |
|---|
| Moderieren | 07.10.2025 15:17 (6 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 327380 [JhumanJ OpnForm bis 1.9.3 Forgotten Password /api/password/email Information Disclosure] |
|---|
| Punkte | 20 |
|---|