Saviynt · Saviynt Enterprise Identity Cloud · CVE-2022-23856
**Name of the Vulnerable Software and Affected Versions**
Saviynt Enterprise Identity Cloud (EIC) version 5.5 SP2.x
**Description**
An issue was discovered that allows an attacker to enumerate users by changing the `id` parameter in the "ECM/maintenance/forgotpasswordstep1" API endpoint.
**Recommendations**
For Saviynt Enterprise Identity Cloud (EIC) version 5.5 SP2.x, consider restricting access to the "ECM/maintenance/forgotpasswordstep1" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.