Observable Response Discrepancy in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 26th 2021

Description

It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists

Proof of Concept

https://i.imgur.com/lFJ2f05.png

Impact

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Occurrences

index.php L1-L315

References

https://cwe.mitre.org/data/definitions/203.html

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back a year ago

Amir validated this vulnerability a year ago

Akshay Jain has been awarded the disclosure bounty

The fix bounty is now up for grabs

Amir marked this as fixed in This fix was applied on a private repo with commit 8a5595 a year ago

Amir has been awarded the fix bounty

This vulnerability will not receive a CVE

index.php#L1-L315 has been validated

to join this conversation