-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause Analysis:| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| getgrav/grav | composer | < 1.8.0-beta.27 | 1.8.0-beta.27 |
This discrepancy in responses enables:
admin@localhost.test).This violates best practices for authentication flows, where responses should remain generic to avoid leaking sensitive information.
https://<target>/admin/forgotinvalid_user):Instructions to reset your password have been sent to your email address
admin).Cannot reset password for admin@localhost.test, password reset functionality temporarily blocked, please try later (maximum 60 minutes)
Modify the taskForgot() logic to always return a generic, non-identifying message, regardless of whether the username exists or rate limits are hit.
Example safe response:
If the account exists, password reset instructions will be sent.
Do not include email addresses ($to) or other sensitive data in error messages.
Ongoing coverage of React2Shell