Observable Response Discrepancy in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 26th 2021


Description

It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists

Proof of Concept

https://i.imgur.com/lFJ2f05.png

Impact

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 months ago
Amir validated this vulnerability 10 days ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on 8a5595 10 days ago
Amir has been awarded the fix bounty
index.php#L1-L315 has been validated