CVE-2020-15132 Information

Description

In Sulu before versions 1.6.35 2.0.10 and 2.1.1 when the \Forget password\ feature on the login screen is used Sulu asks the user for a username or email address. If the given string is not found a response with a 400 error code is returned along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also the response of the \Forgot Password\ request returns the email address to which the email was sent if the operation was successful. This information should not be exposed as it can be used to gather email addresses. This problem was fixed in versions 1.6.35 2.0.10 and 2.1.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6r

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3