Vulnerability Description
An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Serenity | Serene | < 6.7.0 |
| Serenity | Startsharp | < 6.7.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/172648/Serenity-StartSharp-Software-File-Up
- http://seclists.org/fulldisclosure/2023/May/14
- https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823PatchVendor Advisory
- http://packetstormsecurity.com/files/172648/Serenity-StartSharp-Software-File-Up
- http://seclists.org/fulldisclosure/2023/May/14
- https://github.com/serenity-is/Serenity/commit/11b9d267f840513d04b4f4d4876de7823PatchVendor Advisory
- https://seclists.org/fulldisclosure/2023/May/14
FAQ
What is CVE-2023-31286?
CVE-2023-31286 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a ...
How severe is CVE-2023-31286?
CVE-2023-31286 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-31286?
Check the references section above for vendor advisories and patch information. Affected products include: Serenity Serene, Serenity Startsharp.