The password reset feature in One Click Orgs before 1.2.3 generates different error messages for failed reset attempts depending on whether the e-mail address is registered, which allows remote attackers to enumerate user accounts via a series of requests.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| One_click_orgs | Oneclickorgs | * | 1.2.2 (including) |
| One_click_orgs | Oneclickorgs | 1.0.0 (including) | 1.0.0 (including) |
| One_click_orgs | Oneclickorgs | 1.0.1 (including) | 1.0.1 (including) |
| One_click_orgs | Oneclickorgs | 1.1.0 (including) | 1.1.0 (including) |
| One_click_orgs | Oneclickorgs | 1.1.1 (including) | 1.1.1 (including) |
| One_click_orgs | Oneclickorgs | 1.2.0 (including) | 1.2.0 (including) |
| One_click_orgs | Oneclickorgs | 1.2.1 (including) | 1.2.1 (including) |
References
- http://dmcdonald.net/?page_id=43
- https://groups.google.com/group/oneclickorgs-devspace/msg/26c40a4cc9e127d2?hl=en\u0026dmode=source\u0026output=gplain
- http://dmcdonald.net/?page_id=43
- https://groups.google.com/group/oneclickorgs-devspace/msg/26c40a4cc9e127d2?hl=en\u0026dmode=source\u0026output=gplain