CVE-2024-54454

Name of the Vulnerable Software and Affected Versions: Kurmi Provisioning Suite versions prior to 7.9.0.35 Kurmi Provisioning Suite versions 7.10.x through 7.10.0.18 Kurmi Provisioning Suite versions 7.11.x through 7.11.0.15

Description: An issue was discovered in the sendPasswordReinitLink action of the unlogged.do page, allowing remote attackers to test whether a username is valid or not. This enables confirmation of valid usernames due to an Observable Response Discrepancy vulnerability.

Recommendations: For versions prior to 7.9.0.35, update to version 7.9.0.35 or later. For versions 7.10.x through 7.10.0.18, update to a version later than 7.10.0.18. For versions 7.11.x through 7.11.0.15, update to a version later than 7.11.0.15. As a temporary workaround, consider restricting access to the sendPasswordReinitLink action in the unlogged.do page to minimize the risk of exploitation.