VulnerableCode Package Details - pkg:nuget/Serenity.Net.Web@6.7.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4d3e-jnb9-zuat	User account enumeration in Serenity An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.	CVE-2023-31286 GHSA-w7jm-9x4m-8qc3
VCID-fbu3-1dn2-jybb	Insufficient token expiration in Serenity An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.	CVE-2023-31287 GHSA-2hp9-3xfr-r9w2

Vulnerability

Summary

Aliases

VCID-4d3e-jnb9-zuat

User account enumeration in Serenity An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.

CVE-2023-31286
GHSA-w7jm-9x4m-8qc3

VCID-fbu3-1dn2-jybb

Insufficient token expiration in Serenity An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.

CVE-2023-31287
GHSA-2hp9-3xfr-r9w2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T17:15:22.338498+00:00	GithubOSV Importer	Fixing	VCID-fbu3-1dn2-jybb	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2hp9-3xfr-r9w2/GHSA-2hp9-3xfr-r9w2.json	38.6.0
2026-06-04T17:15:19.117738+00:00	GithubOSV Importer	Fixing	VCID-4d3e-jnb9-zuat	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-w7jm-9x4m-8qc3/GHSA-w7jm-9x4m-8qc3.json	38.6.0
2026-06-02T04:44:41.609078+00:00	GitLab Importer	Fixing	VCID-fbu3-1dn2-jybb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Serenity.Net.Web/CVE-2023-31287.yml	38.6.0
2026-06-02T04:44:41.393133+00:00	GitLab Importer	Fixing	VCID-4d3e-jnb9-zuat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Serenity.Net.Web/CVE-2023-31286.yml	38.6.0