Closed LuccaPrado closed 1 year ago
In fact, the PR that I said isn't going to happen... I'm really bad at Js, but, the email disclosure that I said is that on 'get' route, one of the properties of return is the email
The /getcredentials must return the email only for your logged user and only when logged, otherwise must not. I'll do some checks and drop a status here. Thanks Lucca ; )
indeed /getcredentials
does not returns email, but, when access /curriculum/get
is possible to get the user private email. I request an Pull Request to mitigate this problem
Thank you @netojocelino, the PR has been merged!
I've noticed that malicious users can use the username check endpoint to perform an user enumeration. This alone isn't a serious problem, but, on getcredentials request we have an email disclosure (I'll try to submit an PR for this today), so an malicious user could pick email of every user and use for spam or things like that.