CVE-2022-40084

Name of the Vulnerable Software and Affected Versions OpenCRX versions prior to 5.2.2

Description The issue allows an attacker to determine if a username, email, or ID is valid due to the difference in error messages received during a password reset. This is a result of password enumeration.

Recommendations For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue. As a temporary workaround, consider modifying the error messages during password reset to prevent disclosing valid usernames, emails, or IDs. Restrict access to the password reset functionality to minimize the risk of exploitation.