Grav User Enumeration and Email Disclosure Vulnerability

A user enumeration and email disclosure vulnerability exists in Grav versions through 1.7.49.5, specifically within the Admin plugin versions prior to 1.11.0-beta.1. The vulnerability arises from the 'Forgot Password' feature, which leaks valid usernames and their associated email addresses through varying server response messages. This flaw allows attackers to enumerate users and access sensitive email information, potentially leading to targeted attacks such as password spraying, phishing, or social engineering.

Impact

Exploitation of this vulnerability allows for user enumeration and unauthorized disclosure of email addresses, particularly those associated with admin accounts. Such information could be misused for password spraying, phishing, social engineering, or in conjunction with other vulnerabilities for further exploitation.

Reproduction

To reproduce this vulnerability, access the 'Forgot Password' page in the Grav Admin interface. Submit a password reset request with an invalid username to receive a generic response. Then, submit a request with a valid username. The response will include the email address associated with the username, demonstrating the email disclosure vulnerability. This process can be repeated to enumerate usernames and collect email addresses.

Remediation

Users can update to Grav Admin version 1.11.0-beta.1 or later, where this vulnerability has been fixed.