Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-62512 is a user enumeration vulnerability in Piwigo's password reset functionality affecting version 15.5.0 and likely earlier 15.x releases."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the endpoint password.php?action=lost returns different messages depending on whether the supplied username or email exists in the system.'}, {'type': 'paragraph', 'content': 'For non-existent accounts, the response is "Invalid username or email," while for existing accounts, the responses vary among messages like "Password reset is not allowed for this user," "User \\"%s\\" has no email address, password reset is not possible," "Check your email for the confirmation link," or "Error sending email."'}, {'type': 'paragraph', 'content': 'This difference in responses allows an unauthenticated attacker to confirm valid usernames or email addresses in the system, enabling user enumeration.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to determine whether specific usernames or email addresses exist in the Piwigo system.

Such user enumeration can facilitate targeted phishing attacks, brute-force attempts, or social engineering attacks by revealing valid user identifiers.

While it does not directly impact system confidentiality, integrity, or availability, it exposes user privacy by leaking information about valid accounts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending POST requests to the endpoint password.php?action=lost with different usernames or email addresses and observing the response messages.'}, {'type': 'paragraph', 'content': 'Distinct response messages indicate whether the username or email exists in the system, which confirms the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, using curl commands to test different inputs can reveal the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST -d "username=knownuser" https://your-piwigo-site/password.php?action=lost'}, {'type': 'list_item', 'content': 'curl -X POST -d "username=unknownuser" https://your-piwigo-site/password.php?action=lost'}, {'type': 'paragraph', 'content': 'Comparing the responses such as "Invalid username or email" versus messages like "Check your email for the confirmation link" or "Password reset is not allowed for this user" indicates user enumeration is possible.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Since no patches are available at the time of reporting, the recommended immediate mitigation is to normalize the response messages from the password reset endpoint.'}, {'type': 'paragraph', 'content': 'Modify the application to always return a generic, non-disclosing message such as: "If the username or email exists in our system, you will receive an email with reset instructions."'}, {'type': 'paragraph', 'content': 'This prevents attackers from distinguishing valid from invalid usernames or emails, thereby mitigating user enumeration.'}] [1]

Useful 0 Not Useful 0