| Title | GitHub OpnForm 1.9.3 Account Enumeration on Password Recovery |
|---|
| Description | Title: Account Enumeration Allowed on /api/password/email Endpoint
Description: Account enumeration is possible due to observable messages in the forgotten password functionality. Three distinct messages are provided to the unauthenticated user, two of which signify that the account exists.
The vendor has aligned this with Laravel issue #46465, thus no mitigation action was taken.
Please see the attached Google Doc link for more information under 9. Account Enumeration Allowed on /api/password/email Endpoint and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A
Laravel Issue: https://github.com/laravel/framework/issues/46465 |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp |
|---|
| User | balejin (UID 89385) |
|---|
| Submission | 10/01/2025 21:15 (9 months ago) |
|---|
| Moderation | 10/07/2025 15:17 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327380 [JhumanJ OpnForm up to 1.9.3 Forgotten Password /api/password/email information exposure] |
|---|
| Points | 20 |
|---|