GHSA-h3qf-v68r-35jg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h3qf-v68r-35jg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-h3qf-v68r-35jg/GHSA-h3qf-v68r-35jg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h3qf-v68r-35jg
- Aliases
- Published
- 2023-09-28T06:30:20Z
- Modified
- 2023-11-07T05:21:56.486149Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Economizzer user enumeration vulnerability
- Details
-
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-203" ], "nvd_published_at": "2023-09-28T04:15:12Z", "github_reviewed_at": "2023-09-28T16:50:32Z" }- References
Affected packages
Packagist / gugoan/economizzer
Package
- Name
- gugoan/economizzer
- Purl
- pkg:composer/gugoan/economizzer