GLPI Username Enumeration Vulnerability in Password Recovery Mechanism

A username enumeration vulnerability has been identified in GLPI version 9.5.7, specifically within the password recovery feature. This vulnerability allows attackers to validate email addresses by sending requests to the password reset endpoint and observing variations in the responses. Such discrepancies can be exploited to determine the existence of user accounts associated with the tested email addresses.

Impact

Exploitation of this vulnerability allows for username enumeration, enabling attackers to identify valid user accounts by validating email addresses through the password recovery mechanism.

Reproduction

To reproduce this vulnerability, send a POST request to the password reset endpoint with an email address. Include the CSRF token and session cookie in the request. After submitting the request, check the response for indications of whether the email address is associated with a valid user account. This can be automated by scripting the process of sending requests and analyzing the responses for confirmation of valid email addresses.