Vulnerability Description
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the "Forgot Password" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sulu | Sulu | < 1.6.35 |
Related Weaknesses (CWE)
References
- https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6rExploitThird Party Advisory
- https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6rExploitThird Party Advisory
FAQ
What is CVE-2020-15132?
CVE-2020-15132 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found,...
How severe is CVE-2020-15132?
CVE-2020-15132 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15132?
Check the references section above for vendor advisories and patch information. Affected products include: Sulu Sulu.