request #43674 User enumeration via the lost password form

Infos

Artifact ID#43674

Submitted byThomas Gerbet (tgerbet)

Last Modified On2025-07-22 14:46

Submitted on2025-06-20 11:40

Rank45364

Details

Summary *

User enumeration via the lost password form

Original Submission

Impact

The forgot password form allows for user enumeration.
CVSSv3.1 score: 5.3 ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

References

CWE 204
Forgot Password - OWASP Cheat Sheet
CVE-2025-52899

Acknowledgements

The issue has been identified by AlgoSecure penetration testing team during an audit sponsored by Enalean.

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toAntoine Sauzeau (antoinesauzeau)

StatusClosed

Close date2025-06-25

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #43674

Git commit

tuleap/tuleap/stable

fix(reset_password): request #43674 Don't return an error message if the account doesn't exist 5c72d6d253

Antoine Sauzeau (antoinesauzeau) , 2025-06-25 10:51

Merge 'gerrit #34764' into stable/master 1a89f2bed5

Thomas Gerbet (tgerbet) , 2025-06-25 11:18

feat: Add tests to ensure that the user enumeration vuln in the password reset form can't be reintroduced ee50d5ab3f

Antoine Sauzeau (antoinesauzeau) , 2025-07-04 14:33

Show items referenced by request #43674

Referenced by request #43674

Artifact Tracker v5

rel #43670 16.10

Follow-ups

Manuel Vacelet (vaceletm)

2025-07-22 14:46

Connected artifacts
- Changed type from no type to Fixed in: rel #43670

Thomas Gerbet (tgerbet)

2025-07-21 16:10

Public disclosure.

Thomas Gerbet (tgerbet)

2025-06-27 09:45

CVE-2025-52899 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Thomas Gerbet (tgerbet)

2025-06-25 11:24

Status changed from Verified to Closed
Connected artifacts
- Added: rel #43670
Close date set to 2025-06-25

Thomas Gerbet (tgerbet)

2025-06-20 11:42

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes