CVE-2023-38871
published 2023-09-28CVE-2023-38871: The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.64%
45.9th percentile
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| economizzer | economizzer | — | — |
| economizzer | economizzer | — | — |
| gugoan | economizzer | 0 – 0.9-beta1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Economizzer user enumeration vulnerability
osv·2023-09-28
CVE-2023-38871 [MEDIUM] Economizzer user enumeration vulnerability
Economizzer user enumeration vulnerability
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
GHSA
Economizzer user enumeration vulnerability
ghsa·2023-09-28
CVE-2023-38871 [MEDIUM] CWE-203 Economizzer user enumeration vulnerability
Economizzer user enumeration vulnerability
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-28
Published