CVE-2020-15132 Reset Password / Login vulnerability in Sulu

2020-08-0520:30:13

CWE-209

GitHub_M

www.cve.org

sulu

vulnerability

username retrieval

email addresses

security fix

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

47.4%

JSON

In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the “Forget password” feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a 400 error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the “Forgot Password” request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1.

CNA Affected

[
  {
    "product": "sulu",
    "vendor": "sulu",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.6.35"
      },
      {
        "status": "affected",
        "version": ">= 2.0.0, < 2.0.10"
      },
      {
        "status": "affected",
        "version": "= 2.1.0"
      }
    ]
  }
]