CVE-2023-31286: 
C# vulnerability analysis and mitigation

An issue was discovered in Serenity Serene (and StartSharp) before version 6.7.0. When a password reset request occurs, the server response leaks the existence of users through the 'forgot password' function of the application. This vulnerability allows attackers to collect valid email addresses, which can be used to increase the efficiency of brute-force attacks (SEC Consult, NVD).

The vulnerability exists in the password reset functionality where the server provides different responses based on whether an email exists or not. When sending a POST request to /Account/ForgotPassword with an email address, the server returns a 400 Bad Request with an error message for non-existent users and a 200 OK response for existing users. This information disclosure allows attackers to enumerate valid user accounts. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability enables attackers to identify valid user accounts in the system. This information can be leveraged to conduct more targeted attacks, such as password brute-forcing or social engineering attempts against confirmed users of the system (SEC Consult).

The vulnerability has been fixed in version 6.7.0 and later. The vendor recommends users either create a new project from the 6.7.0+ template or manually apply the relevant changes after updating Serenity packages. The fix ensures that the Forgot password page does not reveal information about whether a user with the entered email exists (GitHub Patch).

The vulnerability was discovered by Fabian Densborn from SEC Consult Vulnerability Lab. Serenity.is expressed gratitude to Fabian Densborn for his discovery, analysis, and coordination, as well as the SEC Consult Vulnerability Lab for responsibly reporting the identified issues (SEC Consult).