Description

Username enumeration on the "Forgot Password" page of Spree.

Proof of Concept

1. Clone the github repo & set up spree platform -- OR -- use the demo site: https://demo.spreecommerce.org/
2. Create a new account by clicking the User menu (upper righthand corner) > "Sign Up"
3. Log out and go back to the "Login" page.
4. Click "Forgot Password"
5. Enter an incorrect email and click "Reset My Password".
6. Enter a correct password and click again on "Reset My Password"
7. Logins can be enumerated

• [POC] https://drive.google.com/file/d/1di5jNI1hyYoFcqs17iCG-EUibDa9TWhI/view?usp=sharing; https://drive.google.com/file/d/1xSgV14W32V34htF5RWcxnVwugI6gEe8L/view?usp=sharing

Impact

The attacker is able to enumerate usernames via the "Forgot Passowrd" functionality.

Checklist

• [x] Created and populated the README.md and vulnerability.json files
• [x] Provided the repository URL and any applicable permalinks
• [x] Defined all the applicable weaknesses (CWEs)
• [x] Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
• [x] Checked that the vulnerability affects the latest version of the package released
• [x] Checked that a fix does not currently exist that remediates this vulnerability
• [x] Complied with all applicable laws