october/october

vulnerability username enumeration
severity 3.7
language php
registry packagist

Description

Username enumeration is possible at the login page of octobercms login page.

POC

  1. Clone and setup octobercms.
  2. Username enumeration is possible at http://localhost/octobercms/backend/backend/auth/signin
  3. Correct usernames provides "a user found ....."

References