Username can be enumerated by password reset endpoint in snipe/snipe-it


Reported on

Jun 19th 2022


The error message on /password/reset/1 can indicate whether the username exists in the instance.

I believe this is a valid issue for the following reason:

  1. /password/reset after submitting the username on this page, the server always returns success no matter whether the username exist
  2. ForgotPasswordController.php In this file, you added a random sleep to prevent user enumeration.

Proof of Concept

Open /password/reset/1, for example,

you can see the different responses by using a different username, admin and not-existed-user

(make sure you enter a password that match the security rules)

For the admin user, the response is passwords.token. (which is missing lang translation I think)

As for the others, the response is 500 | SERVER ERROR.

In my self-hosted site, the response is No matching active user found with that email.

An attacker can write a script to detect what users are registered on this snipe-it instance.


Usernames of the snipe-it instance can be enumerated

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 18 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 17 days ago
Brady Wetherington gave praise 16 days ago
I've been able to replicate this, I'm just struggling with what wording we'd like to use for the CVE.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
snipe modified the Severity from Medium to Low 15 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
snipe validated this vulnerability 15 days ago
imlonghao has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe confirmed that a fix has been merged on 218751 15 days ago
snipe has been awarded the fix bounty
to join this conversation