CVE-2023-39343

Name of the Vulnerable Software and Affected Versions Sulu versions 2.5.0 through 2.5.9

Description The issue allows detection of existing and non-existing users through the Admin Login form, potentially revealing sensitive information about user accounts. This is possible due to the way the system handles authentication failures. The estimated number of potentially affected devices is not provided.

Recommendations For Sulu versions 2.5.0 through 2.5.9, update to version 2.5.10 to resolve the issue. As a temporary workaround, consider creating a custom AuthenticationFailureHandler that returns the $exception->getMessageKey() instead of the $exception->getMessage() to minimize the risk of exploitation.