Skip to content

Observable Response Discrepancy in Lost Password Service

Moderate
brusch published GHSA-579x-cjvr-cqj9 Sep 15, 2021

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.1.3

Patched versions

10.1.3

Description

Impact

It is possible to enumerate usernames via the forgot password functionality

Patches

Update to version 10.1.3 or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.

References

https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/

Severity

Moderate

CVE ID

CVE-2021-39189

Weaknesses