snipe/snipe-it is vulnerable to information disclosure. A remote unauthenticated attacker is able to enumerate users through the response message in the password reset page to figure out on which email address to try a password brute-force attack and gain access to user credentials.