In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whether a user exists by using the "create user" function. If a register/check/username?username= request corresponds to a username that exists, then an "is already in use" error is produced. NOTE: this product is discontinued.
References
Link | Resource |
---|---|
https://www.criticalstart.com/2019/02/information-disclosure-in-jforum-2-1-x-syntax/ | Exploit Third Party Advisory |
Configurations
Information
Published : 2019-02-12 12:29
Updated : 2020-08-24 10:37
NVD link : CVE-2019-7550
Mitre link : CVE-2019-7550
JSON object : View
CWE
CWE-209
Generation of Error Message Containing Sensitive Information
Products Affected
jforum
- jforum