typo3/cms-core is vulnerable to information disclosure. A remote attacker is able to discover valid email address via the password reset function by analyzing the server response time upon submitting the password reset with an arbitrary email address.