Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18384

The "Forgot your username?" form offers too much information concerning user accounts

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      • Click on "Forgot your username?" on the login screen
      • Open http://<server>/xwiki/bin/view/XWiki/ForgotUsername and add both a valid email associated to an user and an invalid email

      Result: the platform confirms if the user exists or not.

      Expected result: a generic message concerning the user without confirming if it exists or not (e.g. "If the account is registered on the application, you will receive a dedicated message").

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18787 The "Forgot your password?" form offers too much information concerning user accounts

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18408 ForgotUsername is not protected against CSRF

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18787 The "Forgot your password?" form offers too much information concerning user accounts

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Github security advisory

          Activity

            People

              surli Simon Urli
              oana.tabaranu Elena-Oana Florea
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: