CVE-2019-7550

Name of the Vulnerable Software and Affected Versions JForum version 2.1.8

Description The issue allows an unauthenticated, remote attacker to determine whether a specific user exists by utilizing the "create user" function. This is achieved by sending a register/check/username?username= request. If the provided username already exists, the system responds with an "is already in use" error. The product is noted to be discontinued.

Recommendations For JForum version 2.1.8, as a temporary workaround, consider restricting access to the "create user" function to prevent user enumeration. Additionally, avoid using the username parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.