First published: Wed Jun 24 2020(Updated: )
An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Naviwebs Navigate CMS | =2.9-r1433 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-14016 is a vulnerability discovered in Navigate CMS 2.9 r1433.
The forgot-password feature in Navigate CMS allows users to reset their passwords by using either their username or the email address associated with their account.
If the provided username or email address is not found in the forgot-password feature, the feature returns a 'not_found' message.
CVE-2020-14016 has a severity rating of 'medium' with a score of 5.3.
To fix the vulnerability in Navigate CMS 2.9 r1433, it is recommended to update to a newer version or apply any available patches provided by the vendor.