We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On the "Forgot Password" page (i.e. https://www.nuget.org/account/ForgotPassword) you can enter a username rather as well as an email address.
If you do enter a username then the next page (i.e. https://www.nuget.org/account/PasswordSent) contains the user's email address in the following message:
We've sent an email to <EMAIL> containing a temporary url that will allow you to reset your NuGet.org account password for the next 24 hours. Please check your spam folder if you don't receive the email within a few minutes.
We've sent an email to <EMAIL> containing a temporary url that will allow you to reset your NuGet.org account password for the next 24 hours.
<EMAIL>
Please check your spam folder if you don't receive the email within a few minutes.
This feels like a leak of information which a user wouldn't expect to be public.
The fix may be to stop password resets through a username, or it may be to remove the email address from the final message.
The text was updated successfully, but these errors were encountered:
Entering a username leaks the associated email address #2882
3c449ef
That's a great find! We'll be deploying an update to this ASAP.
Sorry, something went wrong.
No branches or pull requests
On the "Forgot Password" page (i.e. https://www.nuget.org/account/ForgotPassword) you can enter a username rather as well as an email address.
If you do enter a username then the next page (i.e. https://www.nuget.org/account/PasswordSent) contains the user's email address in the following message:
This feels like a leak of information which a user wouldn't expect to be public.
The fix may be to stop password resets through a username, or it may be to remove the email address from the final message.
The text was updated successfully, but these errors were encountered: