CVE-2023-41885

Name of the Vulnerable Software and Affected Versions Piccolo versions 0.120.0 and prior

Description The implementation of BaseUser.login in Piccolo leaks enough information to a malicious user, allowing them to generate a list of valid users on the platform. This list can be used in a password spray attack to attempt to take over user accounts on the platform. The impact of this issue is minor, as it requires chaining with other attack vectors to gain more than just a list of valid users. The likelihood of this issue is possible, as it requires minimal skills to exploit, especially given that the underlying login functionality for Piccolo-based sites is open source.

Recommendations For Piccolo versions 0.120.0 and prior, update to version 0.121.0 to resolve the issue. As a temporary workaround, consider restricting access to the BaseUser.login function until a patch is available. Avoid using the username and password parameters in the affected API endpoint until the issue is resolved.