CVE-2020-14016
MEDIUMNavigate CMS 2.9 r1433 - User Enumeration via Forgot Password Feature
Title source: llmDescription
An issue was discovered in Navigate CMS 2.9 r1433. The forgot-password feature allows users to reset their passwords by using either their username or the email address associated with their account. However, the feature returns a not_found message when the provided username or email address does not match a user in the system. This can be used to enumerate users.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://blog.sean-wright.com/navigate-cms/
Various Sources
https://cwe.mitre.org/data/definitions/204.html
Scores
CVSS v3
5.3
EPSS
0.0158
EPSS Percentile
72.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-640
Status
published
Products (1)
naviwebs/navigate_cms
2.9 r1433
Published
Jun 24, 2020
Tracked Since
Feb 18, 2026