amass01
commented
1 year ago I would like to address this, @alexlyp i guess this is something we are willing to fix ?
Open jholdstock opened 1 year ago
amass01
commented
1 year ago I would like to address this, @alexlyp i guess this is something we are willing to fix ?
There is no rate limiting on the password reset on the account page. If a user leaves a logged-in session unattended, an attacker can brute force the feature to find the users password. Rate limiting should be added to mitigate this risk.