Moderate severityNVD Advisory· Published Mar 21, 2023· Updated Feb 25, 2025

Observable Response Discrepancy in answerdev/answer

CVE-2023-1540

Description

Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-1540 is an observable response discrepancy in Answer's password reset, allowing email enumeration, patched in version 1.0.6.

Vulnerability

CVE-2023-1540 is an observable response discrepancy vulnerability in the password reset functionality of GitHub repository answerdev/answer prior to version 1.0.6 [1]. The flaw exists in the RetrievePassWord function (later renamed) of the user service, which previously returned an error when the provided email was not found, but returned a success response (or a reset code) when the email existed [3]. This difference in responses allows an attacker to determine whether a given email address is registered on the platform.

Exploitation

An attacker can exploit this by submitting password reset requests for various email addresses and analyzing the server's responses. If the response indicates success or returns a reset code, the email is registered; if it returns an error (e.g., "User not found"), the email is not registered [1][4]. No authentication is required, and the attack can be automated to enumerate large lists of email addresses.

Impact

Successful exploitation enables an attacker to enumerate valid user email addresses, which can be used for targeted attacks such as phishing or credential stuffing. This violates user privacy and can be a stepping stone for further compromise.

Mitigation

The vulnerability was fixed in commit 1de3ec27e50ba7389c9449c59e8ea3a37a908ee4, which changed the function to always return a generic success message regardless of whether the email exists [3]. Users should upgrade to Answer version 1.0.6 or later [2]. There are no known workarounds for earlier versions.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/answerdev/answerGo	< 1.0.6	1.0.6

Affected products

ghsa-coords
pkg:golang/github.com/answerdev/answer
Range: < 1.0.6
answerdev/answerdev/answerv5
Range: unspecified

Patches

1de3ec27e50b

fix(user): User reset password should not tell the user if the email exists.

https://github.com/answerdev/answerLinkinStarsFeb 23, 2023via ghsa

commit

2 files changed · +6 −6

internal/controller/user_controller.go+1 −1 modified

@@ -157,7 +157,7 @@ func (uc *UserController) RetrievePassWord(ctx *gin.Context) {
 		return
 	}
 	_, _ = uc.actionService.ActionRecordAdd(ctx, schema.ActionRecordTypeFindPass, ctx.ClientIP())
-	_, err := uc.userService.RetrievePassWord(ctx, req)
+	err := uc.userService.RetrievePassWord(ctx, req)
 	handler.HandleResponse(ctx, err, nil)
 }

internal/service/user_service.go+5 −5 modified

@@ -149,13 +149,13 @@ func (us *UserService) EmailLogin(ctx context.Context, req *schema.UserEmailLogi
 }
 
 // RetrievePassWord .
-func (us *UserService) RetrievePassWord(ctx context.Context, req *schema.UserRetrievePassWordRequest) (string, error) {
+func (us *UserService) RetrievePassWord(ctx context.Context, req *schema.UserRetrievePassWordRequest) error {
 	userInfo, has, err := us.userRepo.GetByEmail(ctx, req.Email)
 	if err != nil {
-		return "", err
+		return err
 	}
 	if !has {
-		return "", errors.BadRequest(reason.UserNotFound)
+		return nil
 	}
 
 	// send email
@@ -167,10 +167,10 @@ func (us *UserService) RetrievePassWord(ctx context.Context, req *schema.UserRet
 	verifyEmailURL := fmt.Sprintf("%s/users/password-reset?code=%s", us.getSiteUrl(ctx), code)
 	title, body, err := us.emailService.PassResetTemplate(ctx, verifyEmailURL)
 	if err != nil {
-		return "", err
+		return err
 	}
 	go us.emailService.SendAndSaveCode(ctx, req.Email, title, body, code, data.ToJSONString())
-	return code, nil
+	return nil
 }
 
 // UseRePassword

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6x5v-cxpp-pc5xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1540ghsaADVISORY
github.com/answerdev/answer/commit/1de3ec27e50ba7389c9449c59e8ea3a37a908ee4ghsaWEB
huntr.dev/bounties/d8d6c259-a0f2-4209-a3b0-ecbf3eb092f4ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000