Closed LuccaPrado closed 1 year ago
LuccaPrado
commented
2 years ago In fact, the PR that I said isn't going to happen... I'm really bad at Js, but, the email disclosure that I said is that on 'get' route, one of the properties of return is the email
felippe-regazio
commented
2 years ago The /getcredentials must return the email only for your logged user and only when logged, otherwise must not. I'll do some checks and drop a status here. Thanks Lucca ; )
netojocelino
commented
1 year ago indeed /getcredentials does not returns email, but, when access /curriculum/get is possible to get the user private email. I request an Pull Request to mitigate this problem
felippe-regazio
commented
1 year ago Thank you @netojocelino, the PR has been merged!
I've noticed that malicious users can use the username check endpoint to perform an user enumeration. This alone isn't a serious problem, but, on getcredentials request we have an email disclosure (I'll try to submit an PR for this today), so an malicious user could pick email of every user and use for spam or things like that.