Closed emmettownsend closed 7 months ago
Davi found this defect yesterday. Looks like it could be fixed by just changing the error message sent back to the browser to something like...'The username and password combination is not valid'
Thanks for reporting.
anyone can scrape usernames from an NSS service by using the login page, since it discloses “user found”. (CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) )