An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist.
Serenity and StartSharp Software versions prior to 6.7.1 suffer from file upload to cross site scripting, user enumeration, and reusable password reset token vulnerabilities.