Username enumeration on the "Forgot Password" page of Spree.
Proof of Concept
- Clone the github repo & set up spree platform -- OR -- use the demo site: https://demo.spreecommerce.org/
- Create a new account by clicking the User menu (upper righthand corner) > "Sign Up"
- Log out and go back to the "Login" page.
- Click "Forgot Password"
- Enter an incorrect email and click "Reset My Password".
- Enter a correct password and click again on "Reset My Password"
- Logins can be enumerated
- [POC] https://drive.google.com/file/d/1di5jNI1hyYoFcqs17iCG-EUibDa9TWhI/view?usp=sharing; https://drive.google.com/file/d/1xSgV14W32V34htF5RWcxnVwugI6gEe8L/view?usp=sharing
The attacker is able to enumerate usernames via the "Forgot Passowrd" functionality.
- [x] Created and populated the README.md and vulnerability.json files
- [x] Provided the repository URL and any applicable permalinks
- [x] Defined all the applicable weaknesses (CWEs)
- [x] Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
- [x] Checked that the vulnerability affects the latest version of the package released
- [x] Checked that a fix does not currently exist that remediates this vulnerability
- [x] Complied with all applicable laws