You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you go to /password/recover/ and enter a valid username, it redirects to /password/recover//. If you enter an invalid username then it redirects to /password/recover/IiI/, which decodes to an empty string.
This is insecure because it allows a third-party to test for username validity (and obtain previously unknown email addresses) by attempting to reset the passwords. It should not in anyway expose:
whether a username/email address is valid or not, or
return an email address for a valid username when the email address was not known previously.
The text was updated successfully, but these errors were encountered:
If you go to /password/recover/ and enter a valid username, it redirects to /password/recover//. If you enter an invalid username then it redirects to /password/recover/IiI/, which decodes to an empty string.
This is insecure because it allows a third-party to test for username validity (and obtain previously unknown email addresses) by attempting to reset the passwords. It should not in anyway expose:
The text was updated successfully, but these errors were encountered: