| 제목 | GitHub OpnForm 1.9.3 Account Enumeration on Password Recovery |
|---|
| 설명 | Title: Account Enumeration Allowed on /api/password/email Endpoint
Description: Account enumeration is possible due to observable messages in the forgotten password functionality. Three distinct messages are provided to the unauthenticated user, two of which signify that the account exists.
The vendor has aligned this with Laravel issue #46465, thus no mitigation action was taken.
Please see the attached Google Doc link for more information under 9. Account Enumeration Allowed on /api/password/email Endpoint and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A
Laravel Issue: https://github.com/laravel/framework/issues/46465 |
|---|
| 원천 | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp |
|---|
| 사용자 | balejin (UID 89385) |
|---|
| 제출 | 2025. 10. 01. PM 09:15 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 07. PM 03:17 (6 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327380 [JhumanJ OpnForm 까지 1.9.3 Forgotten Password /api/password/email 정보 공개] |
|---|
| 포인트들 | 20 |
|---|