Observable Response Discrepancy in amirsanni/mini-inventory-and-sales-management-system


Reported on

Sep 26th 2021


It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists

Proof of Concept



The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back a year ago
Amir validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir marked this as fixed in This fix was applied on a private repo with commit 8a5595 a year ago
Amir has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L1-L315 has been validated
to join this conversation