vulnerability username enumeration
severity 3.7
language ruby
registry rubygems


Username enumeration on the "Forgot Password" page of Spree.

Proof of Concept

  1. Clone the github repo & set up spree platform -- OR -- use the demo site: https://demo.spreecommerce.org/
  2. Create a new account by clicking the User menu (upper righthand corner) > "Sign Up"
  3. Log out and go back to the "Login" page.
  4. Click "Forgot Password"
  5. Enter an incorrect email and click "Reset My Password".
  6. Enter a correct password and click again on "Reset My Password"
  7. Logins can be enumerated
  • [POC] https://drive.google.com/file/d/1di5jNI1hyYoFcqs17iCG-EUibDa9TWhI/view?usp=sharing; https://drive.google.com/file/d/1xSgV14W32V34htF5RWcxnVwugI6gEe8L/view?usp=sharing


The attacker is able to enumerate usernames via the "Forgot Passowrd" functionality.


  • [x] Created and populated the README.md and vulnerability.json files
  • [x] Provided the repository URL and any applicable permalinks
  • [x] Defined all the applicable weaknesses (CWEs)
  • [x] Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
  • [x] Checked that the vulnerability affects the latest version of the package released
  • [x] Checked that a fix does not currently exist that remediates this vulnerability
  • [x] Complied with all applicable laws