CVE-2020-14016

Name of the Vulnerable Software and Affected Versions Navigate CMS version 2.9 r1433

Description An issue in the forgot-password feature of Navigate CMS allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.

Recommendations For Navigate CMS version 2.9 r1433, consider modifying the forgot-password feature to return a generic message instead of indicating whether the username or email address is associated with a user, thereby preventing user enumeration. As a temporary workaround, consider restricting access to the forgot-password feature until a patch is available.