Observable Response Discrepancy in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 26th 2021


Description

It is possible to enumerate registered emails using forgot password functionality as application is showing the different response when email exists and does not exists

Proof of Concept

https://i.imgur.com/lFJ2f05.png

Impact

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 years ago
Amir validated this vulnerability 2 years ago
wr3nch0x1 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir marked this as fixed in This fix was applied on a private repo with commit 8a5595 2 years ago
Amir has been awarded the fix bounty
index.php#L1-L315 has been validated
to join this conversation