CVE-2020-15132

Name of the Vulnerable Software and Affected Versions Sulu versions prior to 1.6.35 Sulu versions prior to 2.0.10 Sulu versions prior to 2.1.1

Description The issue allows attackers to retrieve valid usernames by utilizing the "Forget password" feature on the login screen. When a username or email address is entered, a response with a 400 error code is returned if the given string is not found, along with an error message indicating that the username does not exist. Additionally, the response of the "Forgot Password" request returns the email address to which the email was sent if the operation was successful, potentially exposing email addresses. The response time of the login feature can also give hints about the existence of a username. Furthermore, the reset token for the Forgot Password feature is not hashed, which could allow attackers to request a new password and look up the token in the database if they gain access to it.

Recommendations For Sulu versions prior to 1.6.35, update to version 1.6.35 or later. For Sulu versions prior to 2.0.10, update to version 2.0.10 or later. For Sulu versions prior to 2.1.1, update to version 2.1.1 or later. As a temporary workaround, consider overriding the files manually in your project and changing them accordingly to prevent information leakage. Restrict access to the "Forget password" feature and the login screen to minimize the risk of exploitation. Avoid using the "Forgot Password" feature until the issue is resolved.