emmettownsend
commented
7 months ago Davi found this defect yesterday. Looks like it could be fixed by just changing the error message sent back to the browser to something like...'The username and password combination is not valid'
bourgeoa
anyone can scrape usernames from an NSS service by using the login page, since it discloses “user found”. (CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13) )