ViliusS
commented
1 year ago Not sure if I have reported this to correct channel, but since it is security related somebody should look at it sooner rather than later.
Closed ViliusS closed 1 year ago
ViliusS
commented
1 year ago Not sure if I have reported this to correct channel, but since it is security related somebody should look at it sooner rather than later.
ViliusS
commented
1 year ago Ping?
rhukster
commented
1 year ago Looks good to me. Thanks! merged.
Forgot password page is vulnerable to account enumeration vulnerability.
This patch fixes that.
I was not sure if Email::sendResetPasswordEmail() is not vulnerable itself, though. From my testings it looks like it's not, but somebody with better code knowledge needs to check if neutral exceptions are thrown in case user doesn't have an email and such.