OpenAEV Password Reset API Email Enumeration Vulnerability

A vulnerability in the OpenAEV platform's password reset API endpoint allows for email enumeration. This issue is present in OpenAEV versions 1.11.0 prior to 2.0.13. The vulnerability arises because the API responds with different HTTP status codes based on whether the provided email exists in the system. A non-existent email results in a 400 Bad Request response, while a valid email receives a 200 OK response. This discrepancy enables an attacker to identify registered emails by automating requests with a list of addresses, effectively enumerating valid accounts without authentication.

Impact

Exploitation of this vulnerability allows for the enumeration of valid email addresses registered in the OpenAEV application. This could lead to further attacks, such as password reset abuse or credential stuffing.

Reproduction

To reproduce this vulnerability, send requests to the '/api/reset' endpoint with a list of email addresses. Monitor the HTTP response status codes: a 200 response indicates a valid email, while a 400 response indicates an invalid one. This can be automated with a script using a tool like 'ffuf'.

Remediation

Users can update to OpenAEV version 2.0.13, which addresses this vulnerability by ensuring the password reset API endpoint returns consistent response codes, regardless of email validity.