Vulnerability: User Enumeration
The username enumeration is an activity in which an attacker tries to retrieve valid usernames from a web application. The web applications are mostly vulnerable to this type of attack on login pages, registration form pages or password reset pages. If the system is vulnerable to the username enumeration attack, the attacker may be able to obtain a list of existing usernames in the system by submitting input (valid and invalid user names) and analyzing the server response (error messages). The attacker can then run a dictionary attack to further exploit the obtained information.

Description:
At the I have lost my password page https://www.joomlashack.com/users/reset/, when you enter an invalid email the error message is:
Reset password failed: Invalid email address
Steps to reproduce:

1. Navigate to Login Page
2. Click on forgot password
3. Enter an invalid email address
4. Error Message:

Reset password failed: Invalid email address
5. Now enter a valid Email
6. The Message is different

We tried it using Burp Suite. The response can be replicated by "A email has been sent" or "If email exist in our system, you will get a reset link"

Due to this vulnerability Enumeration of email addresses of already registered users is possible, and or, checking if a user with specific email address is registered in the website and will then be used for phishing attacks or any malicious intent.

Best Regards,

Mudassir Aijaz