CI4MS Email Enumeration Vulnerability in Password Reset Process

A vulnerability allowing email enumeration has been identified in CI4MS, a CodeIgniter 4-based CMS. This issue affects versions through 0.28.4.0. The vulnerability arises during the password reset process, where an unauthenticated attacker can determine if an email address is registered by analyzing the application's response. If the email exists, a success message is returned; if not, an error message or a different HTTP status code is issued. This discrepancy can be exploited to confirm valid email addresses, potentially leading to targeted phishing attacks or brute-force attempts.

Impact

Exploitation of this vulnerability allows for email enumeration, confirming which email addresses are registered in the system. This information could be used for phishing attacks or to facilitate brute-force login attempts.

Reproduction

To reproduce this vulnerability, navigate to the password reset page of a CI4MS installation. Enter an unregistered email address and submit the request, noting the response. Then, submit a registered email address and observe the different response. The variation between these two responses confirms the presence of the enumeration vulnerability.

Remediation

Users are advised to update to version 0.28.5.0, where this vulnerability has been patched.