CVE-2019-25338

Description

DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.

How to fix CVE-2019-25338

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2019-25338 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, <= 2018-04-22b

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-25338
ADVISORYwww.vulncheck.com/advisories/dokuwiki-b-username-enumeration
EXPLOITwww.exploit-db.com/exploits/47731
WEBdownload.dokuwiki.org
WEBwww.dokuwiki.org/dokuwiki